Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample name:RFQ.exe
Analysis ID:1590528
MD5:df29ee043d88f265cd76747f62ab3ea7
SHA1:0594a814e05c80618a72a865fa53d24fd351db5b
SHA256:1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0
Tags:exeRFQuser-cocaman
Infos:

Detection

Quasar, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Quasar
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Quasar RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • powershell.exe (PID: 1012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5244 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RFQ.exe (PID: 7232 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • RFQ.exe (PID: 7244 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
      • schtasks.exe (PID: 7340 cmdline: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Client.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
        • powershell.exe (PID: 7592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7668 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Client.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
          • schtasks.exe (PID: 7932 cmdline: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OLHTuSLw.exe (PID: 7356 cmdline: C:\Users\user\AppData\Roaming\OLHTuSLw.exe MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • schtasks.exe (PID: 6464 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp63B6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • OLHTuSLw.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Roaming\OLHTuSLw.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • OLHTuSLw.exe (PID: 1904 cmdline: "C:\Users\user\AppData\Roaming\OLHTuSLw.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • OLHTuSLw.exe (PID: 5416 cmdline: "C:\Users\user\AppData\Roaming\OLHTuSLw.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
  • Client.exe (PID: 7552 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • powershell.exe (PID: 6656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1260 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp64CF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Client.exe (PID: 1772 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
    • Client.exe (PID: 1012 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: DF29EE043D88F265CD76747F62AB3EA7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "toolsbox.ydns.eu:20901;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "33714128-68e4-4509-bd32-b7e414783d3eDtWike", "StartupKey": "Quasar Client Startup", "Tag": "gasplant", "LogDirectoryName": "Logs", "ServerSignature": "k9cQ/2fOSUl8KuuMUkdYHYYANwt+NZHzQYS6yYAACgFHe1A1Cf9cX+p+fSm+zBdHGBDBX/Q7ZrOM0acBrSKaln+7SJW9snx79Dzz6uAfqVZQU86971DGCcqFrQb8lmGU/GUXir/Qm0x+XYP+DHlkIT6EL/ZlTcGlZmOZpBLn0RTVig0CsCdVkewWnSxCg6pIKCr7fQzBqRHVLlQBuR3yPk13TwFZnv20nJUWQs2xYJDBEzzG+Q93DAoclywQS+6Xm9otih+w7eCZ4xzkRUh4Dk3UJXEeD6jp3OOnq+XYcmzfbcWX98nISmBkMgVZGNii/Jw4G7EkqKZiRdnIWmUf1w0Ksu/BvAxLXqDq8m/ndKVXzGICg0zHS20R6W/7Gh8qLuKm9IXBGMAvKHN/UqWwUiUN+mYImQKEfzdk7r4AX7E9Up0sOB/kEY/zs5IekHRPkKEAbBJsNTsBbHQgkHOPSblOEMVB52l6eWoTAzV7ibMDr+ymtnQleuBA8dRyLVy24BFaI0lQ4aDdQTMgi1zo9ytBe0i9yAoYvZT3h1gBJWbqCl7/+7yMyQ1YWxrJ0DY8ED2WBLXQSiL/xRsl8OLHLiNKndxbw9pkn9UwVM/hDkZR6cnP9hoZ5KvpFwMjLSrKWOQfzb1xbeeSVqy1WHfwiBpsKev7aHPFq4f6OmQL3Fg=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAINI5zCA1eKMBIzVGHFGqTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwMzE1MTE1NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnzXS+Xn0nqcul8x0v9zbjhWKxGw5U6+QqI4uiyuiRvN1s+2yrjcCjuS0ag5crR+KPuaFKWK9ZsS5fEw4SpJwPEt91jZ+m5XG17tmGCFPjOsrQWSEvJsk7aIUpHEBNW7Hr3X0lX78dAFqpV+pRBEfgYnap/q34AZ3+DpFig0uWJapMlh1ILjyl5BcTPjzIWc4iuSsrGu7UFVZ346UbHC2reYut2Zqp9tGj3Nd3zudAOTel7EP97Gc+XWptNFDYsb+vGGq5fVqRdrDcfo+o7W9kQITN4xaWjVOBxEcW5x1P9uM8OpPzT9hsgMsHBgla8CGn+9AWXfdiqTWDFGFnbnIF6AwTnXNs+obmTw6KeVUrZIbL11+KuVy3fl7o5Rss9buwwqA2QajWRdka4RYo1101EVVPvJ6jeX+WeK07SNA7yYMblOjuy6xyHXX7R327MZjCwy+GAyL0yq0s7kifc7bd1GbCYrlMtYmz6ECdN/pK0auTNxuJumb1bUW5/LHlU0ZcJJInuJnKUrJ5fcaq3SKd94ATX8zcJ/dKqr+fuMyCwPwRe26jQpXBnl2JSHi6UqMIdn2tFREN6LpEuDHtUXcoegGRRGD/WLm6/5tD1JqPKMQbgiACQZe2IK0bd4F6i9NmmpduFg4e3N7yyvStTnexsZE1Ufsp08XvqBHav0XHI0CAwEAAaMyMDAwHQYDVR0OBBYEFCkhbM2ucinuZphETS2w98oceVYbMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADW9nKRkTx6hF9YV27VL1z2886aEGJSb/Sxgbi6YJquotn1ma+9lZvYspdAVzxvykpfxanwww9bSTNya8+Cj+d8SejxSIKlOW9kWq6pHTDAnZjEXK+zopRmKmGlM6A8vD+zEg7M6ty0eCD0lymSd7ambLS12cJ5Mu+5Es1hZGIWOwIrSD1OtEw5l0vyW4YBQHVVo6SO+BRYB7uP7LsZPzkIU+FEmkgd+ioV4coJMK4+wr67MxftPIQaxv/JM7vQLtuz+oOyyL343/UhI2rAjTZNIuzdAr42zRe0H3wUrUwHINZvjEhV7DOYvgdK8AH6YV+FnUhTZRf+XLnXQhsECXttDYBDCWYAOQEk1fmBu4k6kpVLeT6hYr0MbOtWB2W+w1oE7teCsQnPICMwlx7L10ll6MLdzLgq+rOUD8B5vBUPZ6h1iKyR4KL3rb8fIUDxV4kG4akGi42k/eaSIHsV00cw55i54Etm9RnAI5gPSiRj5jC3iP6CZbF+RUiNpUVmOpBrHfnX/OWUjGoVdm/9X2W+UYeFsAoQh38QBUOXI4SBWSVM/nztDvSYcDnJcFBT6/Y+t+6so+qfYZ0OUA5tuuo5CsTcZXw3VFwqES21qbTeR3Wy3y29hrKovjZGIQ7HyRRDT/Seog+HHJ5SO0osiSJbSCRsPfBV3SPcIlNZqiCn9"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.1811150520.00000000009CA000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    0000000A.00000002.1756535087.0000000000940000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000017.00000002.1813579238.00000000031E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        0000000E.00000002.1841403010.000000000A3BD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.1787982427.00000000077F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 42 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.RFQ.exe.77f0000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.RFQ.exe.41362a8.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.RFQ.exe.77f0000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.RFQ.exe.41362a8.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    15.2.Client.exe.470cf88.2.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      Click to see the 36 entries

                      Sigma Signatures

                      AV Detection

                      barindex
                      Sigma detected: Quasar
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 7244, ParentProcessName: RFQ.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7340, ProcessName: schtasks.exe

                      E-Banking Fraud

                      barindex
                      Sigma detected: Quasar
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 7244, ParentProcessName: RFQ.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7340, ProcessName: schtasks.exe

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6556, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", ProcessId: 1012, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6556, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", ProcessId: 1012, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 7452, ParentProcessName: Client.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp", ProcessId: 7668, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6556, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp", ProcessId: 5244, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6556, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe", ProcessId: 1012, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 6556, ParentProcessName: RFQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp", ProcessId: 5244, ProcessName: schtasks.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Quasar
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 7244, ParentProcessName: RFQ.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7340, ProcessName: schtasks.exe

                      Remote Access Functionality

                      barindex
                      Sigma detected: Quasar
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.exe", ParentImage: C:\Users\user\Desktop\RFQ.exe, ParentProcessId: 7244, ParentProcessName: RFQ.exe, ProcessCommandLine: "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7340, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-14T08:37:12.797299+010020355951Domain Observed Used for C2 Detected185.222.57.6720901192.168.2.449735TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-14T08:37:12.797299+010020276191Domain Observed Used for C2 Detected185.222.57.6720901192.168.2.449735TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: toolsbox.ydns.euAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 15.2.Client.exe.470cf88.2.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "toolsbox.ydns.eu:20901;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "33714128-68e4-4509-bd32-b7e414783d3eDtWike", "StartupKey": "Quasar Client Startup", "Tag": "gasplant", "LogDirectoryName": "Logs", "ServerSignature": "k9cQ/2fOSUl8KuuMUkdYHYYANwt+NZHzQYS6yYAACgFHe1A1Cf9cX+p+fSm+zBdHGBDBX/Q7ZrOM0acBrSKaln+7SJW9snx79Dzz6uAfqVZQU86971DGCcqFrQb8lmGU/GUXir/Qm0x+XYP+DHlkIT6EL/ZlTcGlZmOZpBLn0RTVig0CsCdVkewWnSxCg6pIKCr7fQzBqRHVLlQBuR3yPk13TwFZnv20nJUWQs2xYJDBEzzG+Q93DAoclywQS+6Xm9otih+w7eCZ4xzkRUh4Dk3UJXEeD6jp3OOnq+XYcmzfbcWX98nISmBkMgVZGNii/Jw4G7EkqKZiRdnIWmUf1w0Ksu/BvAxLXqDq8m/ndKVXzGICg0zHS20R6W/7Gh8qLuKm9IXBGMAvKHN/UqWwUiUN+mYImQKEfzdk7r4AX7E9Up0sOB/kEY/zs5IekHRPkKEAbBJsNTsBbHQgkHOPSblOEMVB52l6eWoTAzV7ibMDr+ymtnQleuBA8dRyLVy24BFaI0lQ4aDdQTMgi1zo9ytBe0i9yAoYvZT3h1gBJWbqCl7/+7yMyQ1YWxrJ0DY8ED2WBLXQSiL/xRsl8OLHLiNKndxbw9pkn9UwVM/hDkZR6cnP9hoZ5KvpFwMjLSrKWOQfzb1xbeeSVqy1WHfwiBpsKev7aHPFq4f6OmQL3Fg=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAINI5zCA1eKMBIzVGHFGqTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwMzE1MTE1NVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnzXS+Xn0nqcul8x0v9zbjhWKxGw5U6+QqI4uiyuiRvN1s+2yrjcCjuS0ag5crR+KPuaFKWK9ZsS5fEw4SpJwPEt91jZ+m5XG17tmGCFPjOsrQWSEvJsk7aIUpHEBNW7Hr3X0lX78dAFqpV+pRBEfgYnap/q34AZ3+DpFig0uWJapMlh1ILjyl5BcTPjzIWc4iuSsrGu7UFVZ346UbHC2reYut2Zqp9tGj3Nd3zudAOTel7EP97Gc+XWptNFDYsb+vGGq5fVqRdrDcfo+o7W9kQITN4xaWjVOBxEcW5x1P9uM8OpPzT9hsgMsHBgla8CGn+9AWXfdiqTWDFGFnbnIF6AwTnXNs+obmTw6KeVUrZIbL11+KuVy3fl7o5Rss9buwwqA2QajWRdka4RYo1101EVVPvJ6jeX+WeK07SNA7yYMblOjuy6xyHXX7R327MZjCwy+GAyL0yq0s7kifc7bd1GbCYrlMtYmz6ECdN/pK0auTNxuJumb1bUW5/LHlU0ZcJJInuJnKUrJ5fcaq3SKd94ATX8zcJ/dKqr+fuMyCwPwRe26jQpXBnl2JSHi6UqMIdn2tFREN6LpEuDHtUXcoegGRRGD/WLm6/5tD1JqPKMQbgiACQZe2IK0bd4F6i9NmmpduFg4e3N7yyvStTnexsZE1Ufsp08XvqBHav0XHI0CAwEAAaMyMDAwHQYDVR0OBBYEFCkhbM2ucinuZphETS2w98oceVYbMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADW9nKRkTx6hF9YV27VL1z2886aEGJSb/Sxgbi6YJquotn1ma+9lZvYspdAVzxvykpfxanwww9bSTNya8+Cj+d8SejxSIKlOW9kWq6pHTDAnZjEXK+zopRmKmGlM6A8vD+zEg7M6ty0eCD0lymSd7ambLS12cJ5Mu+5Es1hZGIWOwIrSD1OtEw5l0vyW4YBQHVVo6SO+BRYB7uP7LsZPzkIU+FEmkgd+ioV4coJMK4+wr67MxftPIQaxv/JM7vQLtuz+oOyyL343/UhI2rAjTZNIuzdAr42zRe0H3wUrUwHINZvjEhV7DOYvgdK8AH6YV+FnUhTZRf+XLnXQhsECXttDYBDCWYAOQEk1fmBu4k6kpVLeT6hYr0MbOtWB2W+w1oE7teCsQnPICMwlx7L10ll6MLdzLgq+rOUD8B5vBUPZ6h1iKyR4KL3rb8fIUDxV4kG4akGi42k/eaSIHsV00cw55i54Etm9RnAI5gPSiRj5jC3iP6CZbF+RUiNpUVmOpBrHfnX/OWUjGoVdm/9X2W+UYeFsAoQh38QBUOXI4SBWSVM/nztDvSYcDnJcFBT6/Y+t+6so+qfYZ0OUA5tuuo5CsTcZXw3VFwqES21qbTeR3Wy3y29hrKovjZGIQ7HyRRDT/Seog+HHJ5SO0osiSJbSCRsPfBV3SPcIlNZqiCn9"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeReversingLabs: Detection: 60%
                      Multi AV Scanner detection for submitted file
                      Source: RFQ.exeReversingLabs: Detection: 60%
                      Source: RFQ.exeVirustotal: Detection: 21%Perma Link
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000002.1811150520.00000000009CA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.0000000000940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813579238.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1841403010.000000000A3BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1944343370.0000000004355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.000000000094A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1831528808.0000000004825000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756721856.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1812111121.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1919798656.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1813062182.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.1916808513.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1965505722.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756637875.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4156155064.00000000017D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1910184573.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756425486.000000000087A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1751448270.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 7244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7552, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7880, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 5416, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: RFQ.exeJoe Sandbox ML: detected
                      Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: RFQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: OUzz.pdbSHA2566 source: RFQ.exe, OLHTuSLw.exe.0.dr, Client.exe.9.dr
                      Source: Binary string: OUzz.pdb source: RFQ.exe, OLHTuSLw.exe.0.dr, Client.exe.9.dr
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 07C2EE5Ch0_2_07C2E52E
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 4x nop then jmp 0704E064h12_2_0704D736
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4x nop then jmp 0595E344h14_2_0595DA16

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 185.222.57.67:20901 -> 192.168.2.4:49735
                      Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.222.57.67:20901 -> 192.168.2.4:49735
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: toolsbox.ydns.eu
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.222.57.67:20901
                      Source: global trafficTCP traffic: 192.168.2.4:54636 -> 162.159.36.2:53
                      Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                      Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                      Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: ipwho.is
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: toolsbox.ydns.eu
                      Source: global trafficDNS traffic detected: DNS query: ipwho.is
                      Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                      Source: Client.exe, 00000016.00000002.4158904161.000000000195F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: Client.exe, 00000016.00000002.4158904161.000000000195F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.22.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: Client.exe, 00000016.00000002.4161381551.00000000038E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                      Source: Client.exe, 00000016.00000002.4161381551.00000000038E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                      Source: Client.exe, 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: Client.exe, 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                      Source: RFQ.exe, 00000000.00000002.1751448270.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, OLHTuSLw.exe, 0000000C.00000002.1910184573.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000E.00000002.1813062182.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RFQ.exe, OLHTuSLw.exe.0.dr, Client.exe.9.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: Client.exe, 00000016.00000002.4161381551.00000000038D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000016.00000002.4161381551.00000000038D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000016.00000002.4161381551.0000000003652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49737 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Installs a global keyboard hook
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

                      E-Banking Fraud

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000002.1811150520.00000000009CA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.0000000000940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813579238.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1841403010.000000000A3BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1944343370.0000000004355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.000000000094A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1831528808.0000000004825000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756721856.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1812111121.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1919798656.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1813062182.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.1916808513.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1965505722.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756637875.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4156155064.00000000017D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1910184573.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756425486.000000000087A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1751448270.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 7244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7552, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7880, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 5416, type: MEMORYSTR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: RFQ.exe
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_02F2E0B40_2_02F2E0B4
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0563007B0_2_0563007B
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_056300880_2_05630088
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0567D5AB0_2_0567D5AB
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0567D5B00_2_0567D5B0
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C255680_2_07C25568
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C218C80_2_07C218C8
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C285B80_2_07C285B8
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C285B80_2_07C285B8
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C2555B0_2_07C2555B
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C2A0C80_2_07C2A0C8
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C28E180_2_07C28E18
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C28E280_2_07C28E28
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C20B980_2_07C20B98
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C2AA780_2_07C2AA78
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C289F00_2_07C289F0
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_07C218B90_2_07C218B9
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0954ED580_2_0954ED58
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0954B4680_2_0954B468
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0BB412A00_2_0BB412A0
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_095400400_2_09540040
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_095400060_2_09540006
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_095456D90_2_095456D9
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_095456E80_2_095456E8
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 9_2_030CF03C9_2_030CF03C
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_00F4E0B412_2_00F4E0B4
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_04E9008812_2_04E90088
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_04E9007812_2_04E90078
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_070485A812_2_070485A8
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_070485B812_2_070485B8
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0704A0C812_2_0704A0C8
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_07048E1812_2_07048E18
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_07048E2812_2_07048E28
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_07040BA812_2_07040BA8
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0704AA7812_2_0704AA78
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_070489F012_2_070489F0
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0705DFEE12_2_0705DFEE
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0705ED5812_2_0705ED58
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0705B46812_2_0705B468
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_070556D912_2_070556D9
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_070556E812_2_070556E8
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0705000612_2_07050006
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_0705004012_2_07050040
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_02BDE0B414_2_02BDE0B4
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_059585B814_2_059585B8
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_059585A814_2_059585A8
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0595A0C814_2_0595A0C8
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_05958E1814_2_05958E18
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_05958E2814_2_05958E28
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_059589F014_2_059589F0
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_05950BA814_2_05950BA8
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0595AA7814_2_0595AA78
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0601DFEE14_2_0601DFEE
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0601B46814_2_0601B468
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0601ED5814_2_0601ED58
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_060156D914_2_060156D9
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_060156E814_2_060156E8
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0601000714_2_06010007
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_0601004014_2_06010040
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 15_2_02E7E0B415_2_02E7E0B4
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 15_2_0557007815_2_05570078
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 15_2_0557008815_2_05570088
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 22_2_01C5F03C22_2_01C5F03C
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 22_2_084BB6E022_2_084BB6E0
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 22_2_084B7E4822_2_084B7E48
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 37_2_0159F03C37_2_0159F03C
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 37_2_0579906837_2_05799068
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 37_2_0579051837_2_05790518
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 37_2_0579050837_2_05790508
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 37_2_05799E4137_2_05799E41
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 37_2_05799EE037_2_05799EE0
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 38_2_0188F03C38_2_0188F03C
                      Source: RFQ.exe, 00000000.00000002.1787982427.00000000077F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs RFQ.exe
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs RFQ.exe
                      Source: RFQ.exe, 00000000.00000002.1735631800.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ.exe
                      Source: RFQ.exe, 00000000.00000002.1758777796.0000000004119000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs RFQ.exe
                      Source: RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ.exe
                      Source: RFQ.exe, 00000000.00000002.1751448270.0000000003111000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs RFQ.exe
                      Source: RFQ.exe, 00000009.00000002.1758633139.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs RFQ.exe
                      Source: RFQ.exeBinary or memory string: OriginalFilenameOUzz.exe0 vs RFQ.exe
                      Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@56/37@3/2
                      Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Roaming\OLHTuSLw.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2908:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: \Sessions\1\BaseNamedObjects\Local\33714128-68e4-4509-bd32-b7e414783d3eDtWike
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
                      Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3071.tmpJump to behavior
                      Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: RFQ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RFQ.exeReversingLabs: Detection: 60%
                      Source: RFQ.exeVirustotal: Detection: 21%
                      Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Users\user\Desktop\RFQ.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp63B6.tmp"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp64CF.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp63B6.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp64CF.tmp"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptnet.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: webio.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cabinet.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Desktop\RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: RFQ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: RFQ.exeStatic file information: File size 3973632 > 1048576
                      Source: RFQ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3c9800
                      Source: RFQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: OUzz.pdbSHA2566 source: RFQ.exe, OLHTuSLw.exe.0.dr, Client.exe.9.dr
                      Source: Binary string: OUzz.pdb source: RFQ.exe, OLHTuSLw.exe.0.dr, Client.exe.9.dr
                      Source: RFQ.exeStatic PE information: 0xC11A381B [Mon Aug 29 18:29:47 2072 UTC]
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_02F2DA70 push eax; retf 0_2_02F2DA71
                      Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0567ABA1 push 3405A415h; retf 0_2_0567ABAD
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeCode function: 12_2_00F4DA70 push eax; retf 12_2_00F4DA71
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 14_2_02BDDA70 push eax; retf 14_2_02BDDA71
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 15_2_02E7DA70 push eax; retf 15_2_02E7DA71
                      Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Roaming\OLHTuSLw.exeJump to dropped file
                      Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Users\user\Desktop\RFQ.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7552, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: 5110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: AA30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: BA30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: C110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: D110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: D5F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 8C00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: B1D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: C1D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: C680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 2B90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 2E30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 4E30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: A0A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: B0A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: B760000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: C760000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: CC00000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 2E30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 2FF0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 4FF0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: A230000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: B230000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: B8F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: C8F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: CD90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1C30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 3620000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 34D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1590000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 3270000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 3110000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 1880000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 3390000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeMemory allocated: 3190000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5100Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4319Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6946
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5206
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 8854
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 840
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8525
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7752
                      Source: C:\Users\user\Desktop\RFQ.exe TID: 6600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3940Thread sleep count: 5100 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep count: 292 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exe TID: 7268Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exe TID: 7600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7484Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7944Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 6946 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep count: 5206 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 8028Thread sleep time: -23980767295822402s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 8064Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1740Thread sleep count: 8525 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1740Thread sleep count: 234 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -8301034833169293s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7748Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exe TID: 7604Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeThread delayed: delay time: 922337203685477
                      Source: Client.exe, 00000016.00000002.4180043435.0000000006017000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWft\windows\CurrentVersion\Internet Settings
                      Source: Client.exe, 00000016.00000002.4184295331.00000000066AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                      Source: Client.exe, 00000016.00000002.4184295331.0000000006707000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\RFQ.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe"
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\RFQ.exeMemory written: C:\Users\user\Desktop\RFQ.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp63B6.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeProcess created: C:\Users\user\AppData\Roaming\OLHTuSLw.exe "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp64CF.tmp"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Users\user\AppData\Roaming\OLHTuSLw.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Users\user\AppData\Roaming\OLHTuSLw.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OLHTuSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.RFQ.exe.77f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.41362a8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.77f0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.41362a8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1787982427.00000000077F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1758777796.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000002.1811150520.00000000009CA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.0000000000940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813579238.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1841403010.000000000A3BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1944343370.0000000004355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.000000000094A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1831528808.0000000004825000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756721856.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1812111121.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1919798656.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1813062182.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.1916808513.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1965505722.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756637875.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4156155064.00000000017D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1910184573.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756425486.000000000087A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1751448270.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 7244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7552, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7880, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 5416, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.RFQ.exe.77f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.41362a8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.77f0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.41362a8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1787982427.00000000077F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1758777796.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.470cf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.47e8788.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ.exe.44cb168.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.Client.exe.43ab168.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000002.1811150520.00000000009CA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.0000000000940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813579238.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1841403010.000000000A3BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1944343370.0000000004355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756535087.000000000094A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1831528808.0000000004825000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756721856.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1813127627.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1812111121.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1919798656.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1813062182.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.1916808513.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1965505722.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756637875.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.4156155064.00000000017D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1910184573.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1756425486.000000000087A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1751448270.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 7244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7552, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7880, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: schtasks.exe PID: 7932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OLHTuSLw.exe PID: 5416, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Masquerading                      		11
                      Input Capture                      		1
                      Query Registry                      		Remote Services11
                      Input Capture                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory111
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS41
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeylogging113
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Network Configuration Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Timestomp                      		DCSync1
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem23
                      System Information Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590528 Sample: RFQ.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 90 toolsbox.ydns.eu 2->90 92 ipwho.is 2->92 94 2 other IPs or domains 2->94 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 13 other signatures 2->106 11 RFQ.exe 7 2->11         started        15 Client.exe 2->15         started        17 OLHTuSLw.exe 5 2->17         started        signatures3 process4 file5 82 C:\Users\user\AppData\Roaming\OLHTuSLw.exe, PE32 11->82 dropped 84 C:\Users\...\OLHTuSLw.exe:Zone.Identifier, ASCII 11->84 dropped 86 C:\Users\user\AppData\Local\...\tmp3071.tmp, XML 11->86 dropped 88 C:\Users\user\AppData\Local\...\RFQ.exe.log, ASCII 11->88 dropped 126 Uses schtasks.exe or at.exe to add and modify task schedules 11->126 128 Adds a directory exclusion to Windows Defender 11->128 130 Injects a PE file into a foreign processes 11->130 19 RFQ.exe 4 11->19         started        23 powershell.exe 23 11->23         started        25 powershell.exe 23 11->25         started        33 2 other processes 11->33 27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        35 3 other processes 15->35 132 Multi AV Scanner detection for dropped file 17->132 134 Machine Learning detection for dropped file 17->134 31 schtasks.exe 17->31         started        37 3 other processes 17->37 signatures6 process7 file8 80 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 19->80 dropped 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->108 39 Client.exe 19->39         started        42 schtasks.exe 1 19->42         started        110 Loading BitLocker PowerShell Module 23->110 44 conhost.exe 23->44         started        46 conhost.exe 25->46         started        48 conhost.exe 27->48         started        50 conhost.exe 29->50         started        52 conhost.exe 31->52         started        54 conhost.exe 33->54         started        56 conhost.exe 35->56         started        signatures9 process10 signatures11 112 Multi AV Scanner detection for dropped file 39->112 114 Machine Learning detection for dropped file 39->114 116 Adds a directory exclusion to Windows Defender 39->116 118 Injects a PE file into a foreign processes 39->118 58 Client.exe 39->58         started        62 powershell.exe 39->62         started        64 powershell.exe 39->64         started        66 schtasks.exe 39->66         started        68 conhost.exe 42->68         started        process12 dnsIp13 96 toolsbox.ydns.eu 185.222.57.67, 20901, 49735 ROOTLAYERNETNL Netherlands 58->96 98 ipwho.is 195.201.57.90, 443, 49737 HETZNER-ASDE Germany 58->98 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->120 122 Installs a global keyboard hook 58->122 70 schtasks.exe 58->70         started        124 Loading BitLocker PowerShell Module 62->124 72 conhost.exe 62->72         started        74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        signatures14 process15 process16 78 conhost.exe 70->78         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      RFQ.exe61%ReversingLabsWin32.Backdoor.Quasarrat
                      RFQ.exe21%VirustotalBrowse
                      RFQ.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\OLHTuSLw.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\SubDir\Client.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\OLHTuSLw.exe61%ReversingLabsWin32.Backdoor.Quasarrat
                      C:\Users\user\AppData\Roaming\SubDir\Client.exe61%ReversingLabsWin32.Backdoor.Quasarrat

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ipwho.isd0%Avira URL Cloudsafe
                      http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
                      toolsbox.ydns.eu100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.210.172
                      		truefalse
                        		high
                        toolsbox.ydns.eu
                        		185.222.57.67
                        		truetrue
                          		unknown
                          ipwho.is
                          		195.201.57.90
                          		truefalse
                            		high
                            198.187.3.20.in-addr.arpa
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              toolsbox.ydns.eutrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://ipwho.is/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://api.ipify.org/RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designersGRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/?RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/14436606/23354RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000016.00000002.4161381551.0000000003652000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.datacontract.org/2004/07/Client.exe, 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers?RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ipwho.isdClient.exe, 00000016.00000002.4161381551.00000000038E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://tempuri.org/DataSet1.xsdRFQ.exe, OLHTuSLw.exe.0.dr, Client.exe.9.drfalse
                                                    		high
                                                    http://www.tiro.comRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.goodfont.co.krRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.comlRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sajatypeworks.comRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.typography.netDRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.datacontract.org/2004/07/dClient.exe, 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.galapagosdesign.com/staff/dennis.htmRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cnRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.com/designers/frere-user.htmlRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://stackoverflow.com/q/11564914/23354;RFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ipwho.isClient.exe, 00000016.00000002.4161381551.00000000038D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.galapagosdesign.com/DPleaseRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers8RFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.fonts.comRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.sandoll.co.krRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.urwpp.deDPleaseRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://stackoverflow.com/q/2152978/23354sCannotRFQ.exe, 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.zhongyicts.com.cnRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ.exe, 00000000.00000002.1751448270.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, OLHTuSLw.exe, 0000000C.00000002.1910184573.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000E.00000002.1813062182.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.sakkal.comRFQ.exe, 00000000.00000002.1782320813.0000000007312000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://ipwho.isClient.exe, 00000016.00000002.4161381551.00000000038E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    185.222.57.67
                                                                                                    		toolsbox.ydns.euNetherlands
                                                                                                    		51447ROOTLAYERNETNLtrue
                                                                                                    195.201.57.90
                                                                                                    		ipwho.isGermany
                                                                                                    		24940HETZNER-ASDEfalse

                                                                                                    General Information

                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                    Analysis ID:1590528
                                                                                                    Start date and time:2025-01-14 08:36:05 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 11m 36s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:42
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:RFQ.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@56/37@3/2
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 100%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 99%
                                                                                                    • Number of executed functions: 185
                                                                                                    • Number of non-executed functions: 20
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe
                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 199.232.210.172, 184.28.90.27, 20.12.23.50, 20.3.187.198, 4.245.163.56, 13.107.246.45
                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    02:36:59API Interceptor1x Sleep call for process: RFQ.exe modified
                                                                                                    02:37:02API Interceptor164x Sleep call for process: powershell.exe modified
                                                                                                    02:37:05API Interceptor13172969x Sleep call for process: Client.exe modified
                                                                                                    02:37:12API Interceptor1x Sleep call for process: OLHTuSLw.exe modified
                                                                                                    07:37:04Task SchedulerRun new task: OLHTuSLw path: C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    07:37:06Task SchedulerRun new task: Quasar Client Startup path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    185.222.57.67owKQ0b029a.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 185.222.57.67:55615/
                                                                                                    195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                                                                    • /?output=json
                                                                                                    765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                                                                    • /?output=json
                                                                                                    ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                                                                    • ipwhois.app/xml/
                                                                                                    cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                    • /?output=json
                                                                                                    Clipper.exeGet hashmaliciousUnknownBrowse
                                                                                                    • /?output=json
                                                                                                    cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                                                                                    • /?output=json
                                                                                                    Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                    • /?output=json

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    ipwho.isQUOTATION-9044456778.pdf (83kb).com.exeGet hashmaliciousPureLog Stealer, QuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    UXxZ4m65ro.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    ny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 195.201.57.90
                                                                                                    Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                    • 108.181.61.49
                                                                                                    msgde.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 108.181.61.49
                                                                                                    6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                                                                    • 108.181.61.49
                                                                                                    bg.microsoft.map.fastly.netpossible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msgGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.214.172
                                                                                                    3ClBcOpPUX.exeGet hashmaliciousCyberGateBrowse
                                                                                                    • 199.232.210.172
                                                                                                    40#U0433.docGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.214.172
                                                                                                    KymUijfvKi.docGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.210.172
                                                                                                    Rev5_ Joint Declaration C5 GER_track changes.docGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.210.172
                                                                                                    RoYAd85faz.docGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.210.172
                                                                                                    40#U0433.docGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.210.172
                                                                                                    RoYAd85faz.docGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.214.172
                                                                                                    3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 199.232.210.172
                                                                                                    JUbmpeT.exeGet hashmaliciousVidarBrowse
                                                                                                    • 199.232.210.172

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    HETZNER-ASDEna.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5qGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 178.63.67.153
                                                                                                    https://tinyurl.com/ch268ddpGet hashmaliciousUnknownBrowse
                                                                                                    • 116.202.167.133
                                                                                                    https://mmrtb.com/bonus/com-se-5609/global-bb.php?c=4yzi190z6iz1&k=9b48c9184ff290e347cb73c9f3a90c2b&country_code=SE&carrier=Spring%20Mobil&country_name=Sweden&region=Stockholms%20Lan&city=Stockholm&isp=Tele2%20SWIPnet&lang=sv&os=Windows%2010&osv=&browser=Chrome&browserv=131&brand=Desktop&model=Desktop&marketing_name=Desktop&tablet=4&rheight=768&rwidth=768&e=Get hashmaliciousUnknownBrowse
                                                                                                    • 148.251.120.78
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    • 88.198.246.242
                                                                                                    https://urlz.fr/tJIZGet hashmaliciousUnknownBrowse
                                                                                                    • 116.202.167.155
                                                                                                    ROOTLAYERNETNLp0GiAimtNm.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 185.222.58.237
                                                                                                    nzLoHpgAln.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 185.222.57.76
                                                                                                    ljMiHZ8MwZ.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 45.137.22.250
                                                                                                    aYf5ibGObB.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 185.222.58.90
                                                                                                    K3xL5Xy0XS.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 185.222.58.90
                                                                                                    Invoice-BL. Payment TT $ 16945.99.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 45.137.22.164
                                                                                                    MfzXU6tKOq.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                    • 185.222.58.82
                                                                                                    lWnSA7IyVc.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                    • 185.222.58.229
                                                                                                    8ZVd2S51fr.exeGet hashmaliciousRedLineBrowse
                                                                                                    • 185.222.58.241
                                                                                                    Purchase Order Purchase Order Purchase Order Purchase Order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                    • 185.222.57.90

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0ePI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://performancemanager10.successfactors.com/sf/hrisworkflowapprovelink?workflowRequestId=V4-0-a1-iHQRWD3bQis7XhhWNKzjfWwnvURbEsN0CxUc27Zt3ml0ag&company=oceanagoldT2&username=dave.oliver@oceanagold.comGet hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://imtcoken.im/Get hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5qGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 195.201.57.90
                                                                                                    http://pub-575fb9d74c7a46f0828b37cda8dd9c40.r2.dev/docu/e_protocol.html?eGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://eb-ri18.vercel.app/verset.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://metahorizonsfacebooksupport.tempisite.com/italy39Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 195.201.57.90
                                                                                                    http://ubiquitous-twilight-c9292b.netlify.app/Get hashmaliciousUnknownBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://jaffeusacanna-9646.vercel.app/zqh.heups/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 195.201.57.90
                                                                                                    https://realrectify.pages.dev/self/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 195.201.57.90

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                    Category:dropped
                                                                                                    Size (bytes):71954
                                                                                                    Entropy (8bit):7.996617769952133
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                    Malicious:false
                                                                                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):328
                                                                                                    Entropy (8bit):3.2299096522237485
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:kK5T9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:gDImsLNkPlE99SNxAhUe/3
                                                                                                    MD5:FDFBF3B50A1DFBC3E1015053E11BC0A4
                                                                                                    SHA1:58F8CCB0AC60D12C1811AA6C468A0E01D7984FF5
                                                                                                    SHA-256:90A770486AF685268469947FBB91436CF04F6042E0B145C41CE932C3439E867C
                                                                                                    SHA-512:BB1105DF0927BAA00EED0C1B52DA5BB11B3739CBEBCE919A1B33E09B15DD229A8E7443EC9EBE9B85A2A792F35414B84A637325B8F5861DEB5FDA2057AD98EBD1
                                                                                                    Malicious:false
                                                                                                    Preview:p...... ..........eWf..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1216
                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OLHTuSLw.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1216
                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1216
                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                    Malicious:true
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):2232
                                                                                                    Entropy (8bit):5.377482315202066
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:oWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:oLHxvCsIfA2KRHmOugw1s
                                                                                                    MD5:C45790672D75D88558FD5B1F7C85B61A
                                                                                                    SHA1:B7A488219D06C0695CA45C17483B17B4A294A898
                                                                                                    SHA-256:15F3ECE53F98C303DC5201838C263ACACF6522BD8CC96F37C968174900E666A5
                                                                                                    SHA-512:08FB0D42DD1E5FDF19E0E5B0CE13C2049F6EBDA91008C4CCEBF5731EAACC80B91BA35EB875783FB89C4CCEDF7D91BD69320ADF7D1B1A3E91CFA90E7A950A9BC1
                                                                                                    Malicious:false
                                                                                                    Preview:@...e.................................!..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xdht22b.spn.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uxjhqbj.soi.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qokafw0.4rx.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vtbsadt.p1t.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43rcwtlk.qo0.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5q4a2d1z.alu.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ek5lm5si.vav.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv5zy12l.1iv.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hctimkx2.5nx.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvgfhtji.cbt.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz4nx2kz.45i.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jahpkigi.h3z.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4gqrgzj.iub.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmgcybvd.rds.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n44sbolt.a5j.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nynhty2k.zoi.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pncgpn3r.vkk.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcvvn5r4.aai.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1uiyhfq.5ht.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t52dfexo.zb3.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tklm5ck4.fxx.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twpyd4si.ysd.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnuiplzt.lzb.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_weljs3io.twk.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\tmp3071.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1574
                                                                                                    Entropy (8bit):5.108632772459893
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTIv
                                                                                                    MD5:1DF14D44884B62204F90C5D67D5A86CA
                                                                                                    SHA1:CA5B9B858D8380E778E6A013AF11E14FD3DA9FCC
                                                                                                    SHA-256:B206DD472B04FECBEEFC12EB8491B12A548C39FDA88649A0DAD492CF7BDF8247
                                                                                                    SHA-512:14548A87B4C6C6408770CDBB0C89DBE43F1B4FE2BA3F9C3DF03A5B48DB2A3E50412C38BF3BE8B5DAA856B6C23E1E7972E066D2E1DD296F7F53C38528A9993699
                                                                                                    Malicious:true
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                    C:\Users\user\AppData\Local\Temp\tmp465A.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1574
                                                                                                    Entropy (8bit):5.108632772459893
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTIv
                                                                                                    MD5:1DF14D44884B62204F90C5D67D5A86CA
                                                                                                    SHA1:CA5B9B858D8380E778E6A013AF11E14FD3DA9FCC
                                                                                                    SHA-256:B206DD472B04FECBEEFC12EB8491B12A548C39FDA88649A0DAD492CF7BDF8247
                                                                                                    SHA-512:14548A87B4C6C6408770CDBB0C89DBE43F1B4FE2BA3F9C3DF03A5B48DB2A3E50412C38BF3BE8B5DAA856B6C23E1E7972E066D2E1DD296F7F53C38528A9993699
                                                                                                    Malicious:false
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                    C:\Users\user\AppData\Local\Temp\tmp63B6.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1574
                                                                                                    Entropy (8bit):5.108632772459893
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTIv
                                                                                                    MD5:1DF14D44884B62204F90C5D67D5A86CA
                                                                                                    SHA1:CA5B9B858D8380E778E6A013AF11E14FD3DA9FCC
                                                                                                    SHA-256:B206DD472B04FECBEEFC12EB8491B12A548C39FDA88649A0DAD492CF7BDF8247
                                                                                                    SHA-512:14548A87B4C6C6408770CDBB0C89DBE43F1B4FE2BA3F9C3DF03A5B48DB2A3E50412C38BF3BE8B5DAA856B6C23E1E7972E066D2E1DD296F7F53C38528A9993699
                                                                                                    Malicious:false
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                    C:\Users\user\AppData\Local\Temp\tmp64CF.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1574
                                                                                                    Entropy (8bit):5.108632772459893
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTIv
                                                                                                    MD5:1DF14D44884B62204F90C5D67D5A86CA
                                                                                                    SHA1:CA5B9B858D8380E778E6A013AF11E14FD3DA9FCC
                                                                                                    SHA-256:B206DD472B04FECBEEFC12EB8491B12A548C39FDA88649A0DAD492CF7BDF8247
                                                                                                    SHA-512:14548A87B4C6C6408770CDBB0C89DBE43F1B4FE2BA3F9C3DF03A5B48DB2A3E50412C38BF3BE8B5DAA856B6C23E1E7972E066D2E1DD296F7F53C38528A9993699
                                                                                                    Malicious:false
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                    C:\Users\user\AppData\Roaming\OLHTuSLw.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3973632
                                                                                                    Entropy (8bit):7.971104549846376
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:WhZ14lAzlFFzMsYLtZvQ1pVjLvAMQkWS27MtXE:WhZ1AAvFzMBNQTBIMQkXtX
                                                                                                    MD5:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    SHA1:0594A814E05C80618A72A865FA53D24FD351DB5B
                                                                                                    SHA-256:1528A6080656C5A8CF440D976047D7FA31E93E483C10142F416108F211145FF0
                                                                                                    SHA-512:7826BC0582819FB165B25C21FD5A9385B47332201A464B8AE4A035D65F0B3C7ECE75507BA0ACFA92A6E8B55F2A18BA83344DBF3DB264BE7D43D3BEB5796384A1
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 61%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8................0...<...........<.. ....<...@.. ........................=...........@...................................<.O.....<.......................<......<.p............................................ ............... ..H............text.....<.. ....<................. ..`.rsrc.........<.......<.............@..@.reloc........<.......<.............@..B.................<.....H...........a......S.......0.;..........................................0..L.........}.....(.......(......(............s .....(!....o".....(#....o$.....(%....*.0............}........(&........('.....,5...(............s .....(.....o".....(.....o$....85....r...p.Y...((...o)...tY.......(*..........9.....s.........s+...s,...o-......o!...r...po...........,$..(!.....o!...r...po....s....o/........o0...(1.......o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.........

                                                                                                    C:\Users\user\AppData\Roaming\OLHTuSLw.exe:Zone.Identifier

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26
                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                    Malicious:true
                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                    C:\Users\user\AppData\Roaming\SubDir\Client.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\RFQ.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3973632
                                                                                                    Entropy (8bit):7.971104549846376
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:WhZ14lAzlFFzMsYLtZvQ1pVjLvAMQkWS27MtXE:WhZ1AAvFzMBNQTBIMQkXtX
                                                                                                    MD5:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    SHA1:0594A814E05C80618A72A865FA53D24FD351DB5B
                                                                                                    SHA-256:1528A6080656C5A8CF440D976047D7FA31E93E483C10142F416108F211145FF0
                                                                                                    SHA-512:7826BC0582819FB165B25C21FD5A9385B47332201A464B8AE4A035D65F0B3C7ECE75507BA0ACFA92A6E8B55F2A18BA83344DBF3DB264BE7D43D3BEB5796384A1
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 61%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8................0...<...........<.. ....<...@.. ........................=...........@...................................<.O.....<.......................<......<.p............................................ ............... ..H............text.....<.. ....<................. ..`.rsrc.........<.......<.............@..@.reloc........<.......<.............@..B.................<.....H...........a......S.......0.;..........................................0..L.........}.....(.......(......(............s .....(!....o".....(#....o$.....(%....*.0............}........(&........('.....,5...(............s .....(.....o".....(.....o$....85....r...p.Y...((...o)...tY.......(*..........9.....s.........s+...s,...o-......o!...r...po...........,$..(!.....o!...r...po....s....o/........o0...(1.......o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.........

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.971104549846376
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:RFQ.exe
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5:df29ee043d88f265cd76747f62ab3ea7
                                                                                                    SHA1:0594a814e05c80618a72a865fa53d24fd351db5b
                                                                                                    SHA256:1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0
                                                                                                    SHA512:7826bc0582819fb165b25c21fd5a9385b47332201a464b8ae4a035d65f0b3c7ece75507ba0acfa92a6e8b55f2a18ba83344dbf3db264be7d43d3beb5796384a1
                                                                                                    SSDEEP:98304:WhZ14lAzlFFzMsYLtZvQ1pVjLvAMQkWS27MtXE:WhZ1AAvFzMBNQTBIMQkXtX
                                                                                                    TLSH:4B0633543799DB03C88AA7F41922E2F867385D4CF961D20BAFD57EFF7976B081901A02
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8................0...<...........<.. ....<...@.. ........................=...........@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x7cb5fa
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0xC11A381B [Mon Aug 29 18:29:47 2072 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    call far 0000h : 003E9999h
                                                                                                    aas
                                                                                                    int CCh
                                                                                                    dec esp
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3cb5a60x4f.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3cc0000x594.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3ce0000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3c90f00x70.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x3c96100x3c980037d266fb1f6f02160913d02726f61d5cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x3cc0000x5940x6006686cdd8e21c07999394b26e62dcc938False0.4140625data4.044051084694787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x3ce0000xc0x200d3ed50a8b088244e143089d69595fa22False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_VERSION0x3cc0900x304data0.43134715025906734
                                                                                                    RT_MANIFEST0x3cc3a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2025-01-14T08:37:12.797299+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1185.222.57.6720901192.168.2.449735TCP
                                                                                                    2025-01-14T08:37:12.797299+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1185.222.57.6720901192.168.2.449735TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jan 14, 2025 08:37:12.171972990 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:12.177572966 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:12.177659988 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:12.182193995 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:12.187223911 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:12.788654089 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:12.788708925 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:12.788887978 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:12.792263985 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:12.797298908 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:12.962733030 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:13.170469999 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:13.967869997 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:13.967916012 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:13.967982054 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:13.969044924 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:13.969057083 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:14.809848070 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:14.810003042 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:14.813900948 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:14.813956022 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:14.814464092 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:14.819415092 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:14.863409042 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.009596109 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.009675026 CET44349737195.201.57.90192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.010328054 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:15.094783068 CET49737443192.168.2.4195.201.57.90
                                                                                                    Jan 14, 2025 08:37:15.305515051 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:15.310406923 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.310472965 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:15.315345049 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.595508099 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.720360994 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:37:15.720674038 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:29.678702116 CET5463653192.168.2.4162.159.36.2
                                                                                                    Jan 14, 2025 08:37:29.683629990 CET5354636162.159.36.2192.168.2.4
                                                                                                    Jan 14, 2025 08:37:29.683825016 CET5463653192.168.2.4162.159.36.2
                                                                                                    Jan 14, 2025 08:37:29.688838005 CET5354636162.159.36.2192.168.2.4
                                                                                                    Jan 14, 2025 08:37:30.148292065 CET5463653192.168.2.4162.159.36.2
                                                                                                    Jan 14, 2025 08:37:30.153645039 CET5354636162.159.36.2192.168.2.4
                                                                                                    Jan 14, 2025 08:37:30.153829098 CET5463653192.168.2.4162.159.36.2
                                                                                                    Jan 14, 2025 08:37:40.732970953 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:37:40.738038063 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:38:05.748537064 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:38:05.753693104 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:38:30.764297962 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:38:30.769218922 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:38:55.779860973 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:38:55.784919024 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:39:20.796570063 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:39:20.802056074 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:39:45.811192036 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:39:45.818161964 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:40:10.904983997 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:40:10.909936905 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:40:35.941808939 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:40:35.946697950 CET2090149735185.222.57.67192.168.2.4
                                                                                                    Jan 14, 2025 08:41:01.093458891 CET4973520901192.168.2.4185.222.57.67
                                                                                                    Jan 14, 2025 08:41:01.098459005 CET2090149735185.222.57.67192.168.2.4

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jan 14, 2025 08:37:12.108465910 CET6522253192.168.2.41.1.1.1
                                                                                                    Jan 14, 2025 08:37:12.128926039 CET53652221.1.1.1192.168.2.4
                                                                                                    Jan 14, 2025 08:37:13.956491947 CET5520453192.168.2.41.1.1.1
                                                                                                    Jan 14, 2025 08:37:13.964436054 CET53552041.1.1.1192.168.2.4
                                                                                                    Jan 14, 2025 08:37:29.677939892 CET5353394162.159.36.2192.168.2.4
                                                                                                    Jan 14, 2025 08:37:30.166766882 CET5756953192.168.2.41.1.1.1
                                                                                                    Jan 14, 2025 08:37:30.173320055 CET53575691.1.1.1192.168.2.4

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Jan 14, 2025 08:37:12.108465910 CET192.168.2.41.1.1.10xc4d9Standard query (0)toolsbox.ydns.euA (IP address)IN (0x0001)false
                                                                                                    Jan 14, 2025 08:37:13.956491947 CET192.168.2.41.1.1.10xe316Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                                                                                                    Jan 14, 2025 08:37:30.166766882 CET192.168.2.41.1.1.10xf4b9Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Jan 14, 2025 08:37:12.128926039 CET1.1.1.1192.168.2.40xc4d9No error (0)toolsbox.ydns.eu185.222.57.67A (IP address)IN (0x0001)false
                                                                                                    Jan 14, 2025 08:37:13.171261072 CET1.1.1.1192.168.2.40x452aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                    Jan 14, 2025 08:37:13.171261072 CET1.1.1.1192.168.2.40x452aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                    Jan 14, 2025 08:37:13.964436054 CET1.1.1.1192.168.2.40xe316No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                                                                                    Jan 14, 2025 08:37:30.173320055 CET1.1.1.1192.168.2.40xf4b9Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • ipwho.is

                                                                                                    HTTPS Proxied Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.449737195.201.57.904437880C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2025-01-14 07:37:14 UTC150OUTGET / HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                                                                    Host: ipwho.is
                                                                                                    Connection: Keep-Alive
                                                                                                    2025-01-14 07:37:15 UTC223INHTTP/1.1 200 OK
                                                                                                    Date: Tue, 14 Jan 2025 07:37:14 GMT
                                                                                                    Content-Type: application/json; charset=utf-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: close
                                                                                                    Server: ipwhois
                                                                                                    Access-Control-Allow-Headers: *
                                                                                                    X-Robots-Tag: noindex
                                                                                                    2025-01-14 07:37:15 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                                                                    Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:02:36:58
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\Desktop\RFQ.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                                                    Imagebase:0x9e0000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1787982427.00000000077F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1758777796.0000000004119000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1751448270.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1799380953.000000000AA31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1758777796.0000000004156000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:02:37:01
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.exe"
                                                                                                    Imagebase:0x10000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:02:37:01
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:02:37:01
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                                                                                                    Imagebase:0x10000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:02:37:01
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:02:37:01
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp3071.tmp"
                                                                                                    Imagebase:0xe10000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:02:37:01
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:02:37:02
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\Desktop\RFQ.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                                                    Imagebase:0x4b0000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:9
                                                                                                    Start time:02:37:02
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\Desktop\RFQ.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\RFQ.exe"
                                                                                                    Imagebase:0x9c0000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1758633139.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1776568484.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1758633139.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:02:37:04
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    Imagebase:0xe10000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1756535087.0000000000940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1756535087.000000000094A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1756721856.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1756637875.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1756425486.000000000087A000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:02:37:04
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    Imagebase:0x250000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1944343370.0000000004355000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1965505722.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1910184573.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 61%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:02:37:04
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:14
                                                                                                    Start time:02:37:04
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                                                                    Imagebase:0x790000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1841403010.000000000A3BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1831528808.0000000004825000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1813062182.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 61%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:15
                                                                                                    Start time:02:37:06
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    Imagebase:0x930000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1917697783.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.2006951486.000000000A231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.2006951486.000000000AD92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1980380242.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:16
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                                                                    Imagebase:0x10000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:17
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:18
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                                                                                                    Imagebase:0x10000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:19
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:20
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp465A.tmp"
                                                                                                    Imagebase:0xe10000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:21
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:22
                                                                                                    Start time:02:37:07
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                                                                    Imagebase:0xeb0000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000016.00000002.4161381551.0000000003931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000016.00000002.4161381551.000000000364B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000016.00000002.4156155064.00000000017D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:23
                                                                                                    Start time:02:37:09
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    Imagebase:0xe10000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000017.00000002.1811150520.00000000009CA000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000017.00000002.1813579238.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000017.00000002.1813127627.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000017.00000002.1813127627.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000017.00000002.1812111121.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:24
                                                                                                    Start time:02:37:09
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:26
                                                                                                    Start time:02:37:14
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                                                                    Imagebase:0x10000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:27
                                                                                                    Start time:02:37:14
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:28
                                                                                                    Start time:02:37:14
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp63B6.tmp"
                                                                                                    Imagebase:0x7ff70f330000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:29
                                                                                                    Start time:02:37:14
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                                                                                                    Imagebase:0x10000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:30
                                                                                                    Start time:02:37:14
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:31
                                                                                                    Start time:02:37:14
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:32
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLHTuSLw" /XML "C:\Users\user\AppData\Local\Temp\tmp64CF.tmp"
                                                                                                    Imagebase:0xe10000
                                                                                                    File size:187'904 bytes
                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:33
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:34
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                                                                                                    Imagebase:0x100000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:35
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                                                                    Imagebase:0x250000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:36
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                                                                                                    Imagebase:0x140000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:37
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\SubDir\Client.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                                                                                                    Imagebase:0xbf0000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000025.00000002.1919798656.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:38
                                                                                                    Start time:02:37:15
                                                                                                    Start date:14/01/2025
                                                                                                    Path:C:\Users\user\AppData\Roaming\OLHTuSLw.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\OLHTuSLw.exe"
                                                                                                    Imagebase:0xc70000
                                                                                                    File size:3'973'632 bytes
                                                                                                    MD5 hash:DF29EE043D88F265CD76747F62AB3EA7
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000026.00000002.1916808513.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:11.4%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:190
                                                                                                      Total number of Limit Nodes:10
                                                                                                      execution_graph 59839 7c2b660 59840 7c2b72a 59839->59840 59841 7c2b730 59840->59841 59844 7c2dee0 59840->59844 59849 7c2def0 59840->59849 59845 7c2def0 59844->59845 59854 7c2df21 59845->59854 59870 7c2df96 59845->59870 59846 7c2df17 59846->59841 59850 7c2df05 59849->59850 59852 7c2df21 12 API calls 59850->59852 59853 7c2df96 12 API calls 59850->59853 59851 7c2df17 59851->59841 59852->59851 59853->59851 59855 7c2df4a 59854->59855 59865 7c2df52 59855->59865 59887 7c2e7a1 59855->59887 59892 7c2e6dd 59855->59892 59897 7c2e77d 59855->59897 59902 7c2ebdf 59855->59902 59906 7c2e939 59855->59906 59911 7c2e4f5 59855->59911 59916 7c2e677 59855->59916 59920 7c2e370 59855->59920 59924 7c2e54e 59855->59924 59929 7c2e709 59855->59929 59934 7c2e86b 59855->59934 59939 7c2e3ea 59855->59939 59944 7c2e461 59855->59944 59865->59846 59871 7c2df24 59870->59871 59873 7c2df99 59870->59873 59872 7c2df52 59871->59872 59874 7c2e7a1 2 API calls 59871->59874 59875 7c2e461 2 API calls 59871->59875 59876 7c2e3ea 2 API calls 59871->59876 59877 7c2e86b 2 API calls 59871->59877 59878 7c2e709 2 API calls 59871->59878 59879 7c2e54e 2 API calls 59871->59879 59880 7c2e370 2 API calls 59871->59880 59881 7c2e677 2 API calls 59871->59881 59882 7c2e4f5 2 API calls 59871->59882 59883 7c2e939 2 API calls 59871->59883 59884 7c2ebdf 2 API calls 59871->59884 59885 7c2e77d 2 API calls 59871->59885 59886 7c2e6dd 2 API calls 59871->59886 59872->59846 59873->59846 59874->59872 59875->59872 59876->59872 59877->59872 59878->59872 59879->59872 59880->59872 59881->59872 59882->59872 59883->59872 59884->59872 59885->59872 59886->59872 59888 7c2e882 59887->59888 59889 7c2e309 59887->59889 59949 7c2af70 59888->59949 59953 7c2af68 59888->59953 59889->59865 59894 7c2e4f4 59892->59894 59893 7c2ed48 59893->59865 59894->59893 59957 7c2a8f0 59894->59957 59961 7c2a8e9 59894->59961 59899 7c2e4f4 59897->59899 59898 7c2ed48 59898->59865 59899->59898 59900 7c2a8f0 ResumeThread 59899->59900 59901 7c2a8e9 ResumeThread 59899->59901 59900->59899 59901->59899 59965 7c2a9a0 59902->59965 59969 7c2a999 59902->59969 59903 7c2ebf9 59907 7c2e4f4 59906->59907 59908 7c2ed48 59907->59908 59909 7c2a8f0 ResumeThread 59907->59909 59910 7c2a8e9 ResumeThread 59907->59910 59908->59865 59909->59907 59910->59907 59912 7c2e4f4 59911->59912 59912->59911 59913 7c2ed48 59912->59913 59914 7c2a8f0 ResumeThread 59912->59914 59915 7c2a8e9 ResumeThread 59912->59915 59913->59865 59914->59912 59915->59912 59918 7c2a9a0 Wow64SetThreadContext 59916->59918 59919 7c2a999 Wow64SetThreadContext 59916->59919 59917 7c2e309 59917->59865 59918->59917 59919->59917 59973 7c2b1f8 59920->59973 59977 7c2b1ec 59920->59977 59925 7c2e563 59924->59925 59981 7c2b060 59925->59981 59985 7c2b059 59925->59985 59926 7c2e586 59926->59865 59930 7c2e72c 59929->59930 59932 7c2af70 WriteProcessMemory 59930->59932 59933 7c2af68 WriteProcessMemory 59930->59933 59931 7c2e75e 59931->59865 59932->59931 59933->59931 59935 7c2e871 59934->59935 59937 7c2af70 WriteProcessMemory 59935->59937 59938 7c2af68 WriteProcessMemory 59935->59938 59936 7c2e426 59936->59865 59937->59936 59938->59936 59940 7c2e3f7 59939->59940 59942 7c2af70 WriteProcessMemory 59940->59942 59943 7c2af68 WriteProcessMemory 59940->59943 59941 7c2e84c 59941->59865 59942->59941 59943->59941 59945 7c2e477 59944->59945 59989 7c2aeb0 59945->59989 59993 7c2aea8 59945->59993 59946 7c2ea85 59946->59865 59950 7c2afb8 WriteProcessMemory 59949->59950 59952 7c2b00f 59950->59952 59952->59889 59954 7c2afb8 WriteProcessMemory 59953->59954 59956 7c2b00f 59954->59956 59956->59889 59958 7c2a930 ResumeThread 59957->59958 59960 7c2a961 59958->59960 59960->59894 59962 7c2a8f0 ResumeThread 59961->59962 59964 7c2a961 59962->59964 59964->59894 59966 7c2a9e5 Wow64SetThreadContext 59965->59966 59968 7c2aa2d 59966->59968 59968->59903 59970 7c2a9a0 Wow64SetThreadContext 59969->59970 59972 7c2aa2d 59970->59972 59972->59903 59974 7c2b281 59973->59974 59974->59974 59975 7c2b3e6 CreateProcessA 59974->59975 59976 7c2b443 59975->59976 59976->59976 59978 7c2b1f8 CreateProcessA 59977->59978 59980 7c2b443 59978->59980 59980->59980 59982 7c2b0ab ReadProcessMemory 59981->59982 59984 7c2b0ef 59982->59984 59984->59926 59986 7c2b0ab ReadProcessMemory 59985->59986 59988 7c2b0ef 59986->59988 59988->59926 59990 7c2aef0 VirtualAllocEx 59989->59990 59992 7c2af2d 59990->59992 59992->59946 59994 7c2aef0 VirtualAllocEx 59993->59994 59996 7c2af2d 59994->59996 59996->59946 59997 7c2f270 59998 7c2f3fb 59997->59998 60000 7c2f296 59997->60000 60000->59998 60001 7c27c84 60000->60001 60002 7c2f4f0 PostMessageW 60001->60002 60003 7c2f55c 60002->60003 60003->60000 60004 2f2d740 DuplicateHandle 60005 2f2d7d6 60004->60005 60041 5631d30 60042 5631d98 CreateWindowExW 60041->60042 60044 5631e54 60042->60044 60044->60044 59800 2f2d4f8 59801 2f2d53e GetCurrentProcess 59800->59801 59803 2f2d590 GetCurrentThread 59801->59803 59804 2f2d589 59801->59804 59805 2f2d5c6 59803->59805 59806 2f2d5cd GetCurrentProcess 59803->59806 59804->59803 59805->59806 59809 2f2d603 59806->59809 59807 2f2d62b GetCurrentThreadId 59808 2f2d65c 59807->59808 59809->59807 59810 2f2b178 59813 2f2b261 59810->59813 59811 2f2b187 59814 2f2b2a4 59813->59814 59815 2f2b281 59813->59815 59814->59811 59815->59814 59816 2f2b4a8 GetModuleHandleW 59815->59816 59817 2f2b4d5 59816->59817 59817->59811 59818 2f24668 59819 2f2467a 59818->59819 59820 2f24686 59819->59820 59822 2f24779 59819->59822 59823 2f2479d 59822->59823 59827 2f24888 59823->59827 59831 2f24879 59823->59831 59828 2f248af 59827->59828 59829 2f2498c 59828->59829 59835 2f24514 59828->59835 59832 2f248af 59831->59832 59833 2f24514 CreateActCtxA 59832->59833 59834 2f2498c 59832->59834 59833->59834 59836 2f25918 CreateActCtxA 59835->59836 59838 2f259db 59836->59838 60006 5637dd8 60007 5637e05 60006->60007 60017 567f7a1 60007->60017 60026 567f7c8 60007->60026 60008 563bb1c 60013 567f7a1 GetCurrentThreadId 60008->60013 60014 567f7c8 GetCurrentThreadId 60008->60014 60009 563bb74 60015 567f7a1 GetCurrentThreadId 60009->60015 60016 567f7c8 GetCurrentThreadId 60009->60016 60010 563bba0 60013->60009 60014->60009 60015->60010 60016->60010 60019 567f7c8 60017->60019 60018 567f863 60024 567f7a1 GetCurrentThreadId 60018->60024 60025 567f7c8 GetCurrentThreadId 60018->60025 60019->60018 60023 567f898 60019->60023 60020 567f86d 60020->60008 60021 567f99c 60021->60008 60023->60021 60035 567fcb3 GetCurrentThreadId 60023->60035 60024->60020 60025->60020 60028 567f7dd 60026->60028 60027 567f863 60033 567f7a1 GetCurrentThreadId 60027->60033 60034 567f7c8 GetCurrentThreadId 60027->60034 60028->60027 60032 567f898 60028->60032 60029 567f86d 60029->60008 60030 567f99c 60030->60008 60032->60030 60036 567fcb3 GetCurrentThreadId 60032->60036 60033->60029 60034->60029 60037 563432e 60038 5634342 60037->60038 60040 5634349 60037->60040 60039 563439a CallWindowProcW 60038->60039 60038->60040 60039->60040

                                                                                                      Executed Functions

                                                                                                      Function 0954B468 Relevance: 7.0, Strings: 5, Instructions: 722COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                      • API String ID: 0-3486158592
                                                                                                      • Opcode ID: 2893ba2cdcf53fcc97e2f2dafca4eb3f23b3c20777d8313d0fe8527bd5893de2
                                                                                                      • Instruction ID: 9a30801cc0a1b6d0c2504ed48808bbbf8e43d54b9eaaf535857d01b271624aa2
                                                                                                      • Opcode Fuzzy Hash: 2893ba2cdcf53fcc97e2f2dafca4eb3f23b3c20777d8313d0fe8527bd5893de2
                                                                                                      • Instruction Fuzzy Hash: AA529E34B001159FDB58DF6AC898AADBBB2FF88354F158569E806DB364DB31EC41CB90
                                                                                                      Function 0954ED58 Relevance: 6.8, Strings: 5, Instructions: 588COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                      • API String ID: 0-3486158592
                                                                                                      • Opcode ID: 23ffbc4ba0049f23dc1b9aafb1bceeb6f4ded473fbbcb99da79b1c00a1d89a28
                                                                                                      • Instruction ID: e7a1ed3ebec702ad281f8e2579c1c068a07e3a6a3eb53ee3b7dfdfecba950bd0
                                                                                                      • Opcode Fuzzy Hash: 23ffbc4ba0049f23dc1b9aafb1bceeb6f4ded473fbbcb99da79b1c00a1d89a28
                                                                                                      • Instruction Fuzzy Hash: F9229F34B002158FCB54DF6ED994A6E7BB6BF88348F158469E806DB3A1CB31EC45CB91
                                                                                                      Function 09540006 Relevance: 4.6, Instructions: 4586COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 879 9540006-954000b 880 954000c-9540038 879->880 882 954003a-954006b 880->882 884 9540072-9540c98 882->884 885 954006d 882->885 1075 9540ca3-9540ca9 884->1075 885->884 1076 9540cb5-9544668 1075->1076 1486 9544692 1076->1486 1487 954466a-9544676 1076->1487 1490 9544698-9545007 1486->1490 1488 9544680-9544686 1487->1488 1489 9544678-954467e 1487->1489 1491 9544690 1488->1491 1489->1491 1491->1490
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3f666419e731ab35f77862fcccc30c6cfd00a0bb5df0fd37109243c38f0cf1ac
                                                                                                      • Instruction ID: 3e69cff2f596ceccd737d43eb416bb805865837d0dc68fb58a44c04eaf1f0deb
                                                                                                      • Opcode Fuzzy Hash: 3f666419e731ab35f77862fcccc30c6cfd00a0bb5df0fd37109243c38f0cf1ac
                                                                                                      • Instruction Fuzzy Hash: 2DB3E734A51219CFCB55EF64C894A99B3B2FF8A300F1186E9D5496B361DB31AEC5CF80
                                                                                                      Function 09540040 Relevance: 4.6, Instructions: 4562COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1591 9540040-954006b 1592 9540072-9540ca9 1591->1592 1593 954006d 1591->1593 1784 9540cb5-9544668 1592->1784 1593->1592 2194 9544692 1784->2194 2195 954466a-9544676 1784->2195 2198 9544698-9545007 2194->2198 2196 9544680-9544686 2195->2196 2197 9544678-954467e 2195->2197 2199 9544690 2196->2199 2197->2199 2199->2198
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 52511116770823b7047edfa6f676d11c18d3868a71eba6d27976c9462a6c7b1d
                                                                                                      • Instruction ID: 7171eff5e05b78b0358502f502c503b7ca01c7426675c91ac343a108d167fd5c
                                                                                                      • Opcode Fuzzy Hash: 52511116770823b7047edfa6f676d11c18d3868a71eba6d27976c9462a6c7b1d
                                                                                                      • Instruction Fuzzy Hash: B8B3E734A51219CFCB55EF64C894A99B3B2FF8A300F1186E9D5496B361DB31AEC5CF80
                                                                                                      Function 095456E8 Relevance: 3.4, Instructions: 3434COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 4083 95456e8-9545713 4084 9545715 4083->4084 4085 954571a-9545c3f 4083->4085 4084->4085 4163 9545c5c-9545c75 4085->4163 4165 9545c77-9545c9d 4163->4165 4166 9545c9f-9545ca1 4163->4166 4167 9545ca4-9545caf 4165->4167 4166->4167 4169 9545c41-9545c4b 4167->4169 4170 9545cb1-9545d10 4167->4170 4623 9545c51 call 95496e0 4169->4623 4624 9545c51 call 9549690 4169->4624 4625 9545c51 call 9549718 4169->4625 4628 9545d13 call 954a7c8 4170->4628 4629 9545d13 call 954a7b9 4170->4629 4171 9545c57-9545c5b 4171->4163 4176 9545d19-9545d5a 4626 9545d5d call 954a7c8 4176->4626 4627 9545d5d call 954a7b9 4176->4627 4179 9545d63-9545d7a 4181 9545d84-9545d8b 4179->4181 4182 9545d7c-9545d82 4179->4182 4183 9545d92-9545d95 4181->4183 4184 9545d8d 4181->4184 4185 9545d98-954604c 4182->4185 4183->4185 4184->4183 4630 9546052 call 954fce8 4185->4630 4631 9546052 call 954fcd9 4185->4631 4227 9546057-9548795 4515 9548797-95487a3 4227->4515 4516 95487bf 4227->4516 4518 95487a5-95487ab 4515->4518 4519 95487ad-95487b3 4515->4519 4517 95487c5-95492ba 4516->4517 4520 95487bd 4518->4520 4519->4520 4520->4517 4623->4171 4624->4171 4625->4171 4626->4179 4627->4179 4628->4176 4629->4176 4630->4227 4631->4227
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4eeb2b032f1f3e6bc5142efb4375c89339f55bc1e809fff26dd52540cce53ac0
                                                                                                      • Instruction ID: 6519fc7eb87e4121c3f8e79e3ea4e2094467d0d37ebe251cae1df9f6d34eecee
                                                                                                      • Opcode Fuzzy Hash: 4eeb2b032f1f3e6bc5142efb4375c89339f55bc1e809fff26dd52540cce53ac0
                                                                                                      • Instruction Fuzzy Hash: BA830634A11619CFDB65EF68C894A99B7B2FF8A300F1146E9D4096B361DB31AED1CF40
                                                                                                      Function 095456D9 Relevance: 3.4, Instructions: 3420COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 4632 95456d9-9545713 4634 9545715 4632->4634 4635 954571a-9545c3f 4632->4635 4634->4635 4713 9545c5c-9545c75 4635->4713 4715 9545c77-9545c9d 4713->4715 4716 9545c9f-9545ca1 4713->4716 4717 9545ca4-9545caf 4715->4717 4716->4717 4719 9545c41-9545c4b 4717->4719 4720 9545cb1-9545cfc 4717->4720 5177 9545c51 call 95496e0 4719->5177 5178 9545c51 call 9549690 4719->5178 5179 9545c51 call 9549718 4719->5179 4725 9545d04-9545d10 4720->4725 4721 9545c57-9545c5b 4721->4713 5173 9545d13 call 954a7c8 4725->5173 5174 9545d13 call 954a7b9 4725->5174 4726 9545d19-9545d47 4728 9545d4e-9545d5a 4726->4728 5180 9545d5d call 954a7c8 4728->5180 5181 9545d5d call 954a7b9 4728->5181 4729 9545d63-9545d7a 4731 9545d84-9545d8b 4729->4731 4732 9545d7c-9545d82 4729->4732 4733 9545d92-9545d95 4731->4733 4734 9545d8d 4731->4734 4735 9545d98-954603c 4732->4735 4733->4735 4734->4733 4776 9546046-954604c 4735->4776 5175 9546052 call 954fce8 4776->5175 5176 9546052 call 954fcd9 4776->5176 4777 9546057-9548795 5065 9548797-95487a3 4777->5065 5066 95487bf 4777->5066 5068 95487a5-95487ab 5065->5068 5069 95487ad-95487b3 5065->5069 5067 95487c5-95492ba 5066->5067 5070 95487bd 5068->5070 5069->5070 5070->5067 5173->4726 5174->4726 5175->4777 5176->4777 5177->4721 5178->4721 5179->4721 5180->4729 5181->4729
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ab2d4e8448d3755d280da4e903749df4f5c535d2fcef8454fb496a5d7e0db997
                                                                                                      • Instruction ID: 944612118ce5dd4353c0ebaa5f1ab452eff9e7c1875e75e220f85e8de4317f54
                                                                                                      • Opcode Fuzzy Hash: ab2d4e8448d3755d280da4e903749df4f5c535d2fcef8454fb496a5d7e0db997
                                                                                                      • Instruction Fuzzy Hash: 26830634A11619CFDB65EF68C894A99B7B2FF8A300F1146E9D4096B361DB31AED1CF40
                                                                                                      Function 07C218C8 Relevance: .3, Instructions: 289COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c3ee88931d05ddf8b6dd1a65c0c1a76b4672f89fb6c7b7f7d950233ceefec23c
                                                                                                      • Instruction ID: d661fb21efbd56bbffcdbd833362e5f90d9a096b48be6556fbcd55b7ae581623
                                                                                                      • Opcode Fuzzy Hash: c3ee88931d05ddf8b6dd1a65c0c1a76b4672f89fb6c7b7f7d950233ceefec23c
                                                                                                      • Instruction Fuzzy Hash: 00C1A0B4E0522CCFDB14DFAAC8846ADBBF2BF49300F28916AD409B7255DB345986DF11
                                                                                                      Function 07C218B9 Relevance: .3, Instructions: 275COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a9b6874a644f8e695c3884505f260880c65fc98ec2055f283fcc1938df8511d9
                                                                                                      • Instruction ID: f7b082f4f15a51b6ee2ea48960abfa8c3895fb8a7c7bba91e9a95cee3bb93afc
                                                                                                      • Opcode Fuzzy Hash: a9b6874a644f8e695c3884505f260880c65fc98ec2055f283fcc1938df8511d9
                                                                                                      • Instruction Fuzzy Hash: 0EC190B4E0522CCFDB14DFAAC8847ADBBF2BF89300F18916AD409A7255DB345986DF11
                                                                                                      Function 07C2555B Relevance: .1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: aa1d2643608d9a8dbde939a273f2eda16250ee069ed4d922e9398086119b9503
                                                                                                      • Instruction ID: a4242a892567f144f7e0f08af2057635727b457063c22bdd57b642dec9cf5be8
                                                                                                      • Opcode Fuzzy Hash: aa1d2643608d9a8dbde939a273f2eda16250ee069ed4d922e9398086119b9503
                                                                                                      • Instruction Fuzzy Hash: ED21E7B1D106188BEB18CF9BD8553DEFFB6BFC9300F14C06AD409A6254DB740A568F90
                                                                                                      Function 07C25568 Relevance: .1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 65aab0c03aba88a50b0e25894bd9d530a1dca79e1fd2239e7bfbc1f59aef69d6
                                                                                                      • Instruction ID: 5da9ab5db89f4d403700dc90d9cd3421361c0a424f8a56caa829885c4f6ee0a0
                                                                                                      • Opcode Fuzzy Hash: 65aab0c03aba88a50b0e25894bd9d530a1dca79e1fd2239e7bfbc1f59aef69d6
                                                                                                      • Instruction Fuzzy Hash: 5F21C5B1D146188BEB18CF9BD8553EEFBB7AFC9300F14C16AD40966264DB750A468F90
                                                                                                      Function 02F2D4E8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 834 2f2d4e8-2f2d587 GetCurrentProcess 839 2f2d590-2f2d5c4 GetCurrentThread 834->839 840 2f2d589-2f2d58f 834->840 841 2f2d5c6-2f2d5cc 839->841 842 2f2d5cd-2f2d601 GetCurrentProcess 839->842 840->839 841->842 844 2f2d603-2f2d609 842->844 845 2f2d60a-2f2d625 call 2f2d6c7 842->845 844->845 848 2f2d62b-2f2d65a GetCurrentThreadId 845->848 849 2f2d663-2f2d6c5 848->849 850 2f2d65c-2f2d662 848->850 850->849
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02F2D576
                                                                                                      • GetCurrentThread.KERNEL32 ref: 02F2D5B3
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02F2D5F0
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02F2D649
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: 4eb7529569b7842bd57ce1895bc2a362794cd2ef938d8b82cf86ec12e494a627
                                                                                                      • Instruction ID: 1bb2c59e90a130d3215331cc0e1c5aeaf7ccc4b0d0a24a0591a2c1241585430b
                                                                                                      • Opcode Fuzzy Hash: 4eb7529569b7842bd57ce1895bc2a362794cd2ef938d8b82cf86ec12e494a627
                                                                                                      • Instruction Fuzzy Hash: 9C5165B0D002498FDB14CFA9C648BAEBFF1AF49358F20C4A9D159A73A0D7749984CF65
                                                                                                      Function 02F2D4F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 857 2f2d4f8-2f2d587 GetCurrentProcess 861 2f2d590-2f2d5c4 GetCurrentThread 857->861 862 2f2d589-2f2d58f 857->862 863 2f2d5c6-2f2d5cc 861->863 864 2f2d5cd-2f2d601 GetCurrentProcess 861->864 862->861 863->864 866 2f2d603-2f2d609 864->866 867 2f2d60a-2f2d625 call 2f2d6c7 864->867 866->867 870 2f2d62b-2f2d65a GetCurrentThreadId 867->870 871 2f2d663-2f2d6c5 870->871 872 2f2d65c-2f2d662 870->872 872->871
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02F2D576
                                                                                                      • GetCurrentThread.KERNEL32 ref: 02F2D5B3
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02F2D5F0
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02F2D649
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: 21423fb36799f7f851ee532907a33982669c6420f21d87e0defe74f95c821807
                                                                                                      • Instruction ID: 4ba0ff5346b3b5e47d38e245e58f842ed2ca95f7a23b9ed3df8074acd8883a85
                                                                                                      • Opcode Fuzzy Hash: 21423fb36799f7f851ee532907a33982669c6420f21d87e0defe74f95c821807
                                                                                                      • Instruction Fuzzy Hash: 1C5144B0D002098FDB14DFAAD648BEEBBF1AB48358F20C469D119A7360DB759984CF65
                                                                                                      Function 07C2B1EC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C2B42E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: 21d159dbe7c555234a605a6858f05c636588f10a8ae78f7814293835f011adb3
                                                                                                      • Instruction ID: 8f3cf23f0a94654dc7d46929eabe7f5753492fdd259ea606e123203ddafcd5d5
                                                                                                      • Opcode Fuzzy Hash: 21d159dbe7c555234a605a6858f05c636588f10a8ae78f7814293835f011adb3
                                                                                                      • Instruction Fuzzy Hash: A6A16FB1D0072ADFDB10CF68C8817DDBBB2BF44314F1485A9D819A7250EB749A86DF92
                                                                                                      Function 07C2B1F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C2B42E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: 4140e2a47647861af42fec3f99f7e42f9f3d3ddc8c2614abe4b61f2a1cfa71e9
                                                                                                      • Instruction ID: 73179315fd849e2164727b172f341128172e69791a68b3f181026ad79af1c277
                                                                                                      • Opcode Fuzzy Hash: 4140e2a47647861af42fec3f99f7e42f9f3d3ddc8c2614abe4b61f2a1cfa71e9
                                                                                                      • Instruction Fuzzy Hash: FF915EB1D0072ADFDB10CF68C8817DDBBB2BF44314F1485A9D819A7250EB749A86DF92
                                                                                                      Function 02F2B261 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02F2B4C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 1cd62933ec656d12d8514dd8f2c36fcaa6ddcfe518f5e7955b734dbce54ae8b6
                                                                                                      • Instruction ID: f293432556456c3b1b3bff36cf5835f147581cac7402ef79d3180726b6152bb4
                                                                                                      • Opcode Fuzzy Hash: 1cd62933ec656d12d8514dd8f2c36fcaa6ddcfe518f5e7955b734dbce54ae8b6
                                                                                                      • Instruction Fuzzy Hash: 84816670A00B558FD724DF2AD64075ABBF1FF89348F008A2DD98ADBA50D774E849CB91
                                                                                                      Function 05631D27 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05631E42
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775533793.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5630000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 2e628ff97dca52cc8e9e6257a2586c27553786d0cdb712791a4e0155184ded15
                                                                                                      • Instruction ID: afd886e44ed1132593ab68edba2e39fdc82b7ff1fdfb6cabd3eb56f85eef7f61
                                                                                                      • Opcode Fuzzy Hash: 2e628ff97dca52cc8e9e6257a2586c27553786d0cdb712791a4e0155184ded15
                                                                                                      • Instruction Fuzzy Hash: DB51C0B1D003499FDB14CFA9C884ADEBFB6FF49310F24812AE819AB210D7759885CF91
                                                                                                      Function 05631D30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05631E42
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775533793.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5630000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 96969389b1968fb8cf8d1a7340ba8a165f21140928ebb084183222c8c72b4f2b
                                                                                                      • Instruction ID: 3e39c9a14912654e0e91b2f734db732cae78a1d0de9132a777a9a7500f9e2007
                                                                                                      • Opcode Fuzzy Hash: 96969389b1968fb8cf8d1a7340ba8a165f21140928ebb084183222c8c72b4f2b
                                                                                                      • Instruction Fuzzy Hash: 0541B0B5D003499FDB14CF9AC984ADEBBB6FF49310F24812AE819AB210D7759885CF91
                                                                                                      Function 02F2590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02F259C9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 7b876040af2107078b121fa690b197f813f23c5cc14a3faa49faf40ad1d47498
                                                                                                      • Instruction ID: 9dc9a4ed5b8da495ce88ce9b28fd56947d7fa74ecfc029080ee440fd5b2edf64
                                                                                                      • Opcode Fuzzy Hash: 7b876040af2107078b121fa690b197f813f23c5cc14a3faa49faf40ad1d47498
                                                                                                      • Instruction Fuzzy Hash: 9E4124B0C0071ACFDB24CFA9C8847CEBBB5BF49314F24819AD408AB251DB75598ACF90
                                                                                                      Function 02F24514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02F259C9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: fa8cfaef6d6be9c01772ca9eb0ac8ba259e1cc306ed4fd5266edbd3cbc4a8f44
                                                                                                      • Instruction ID: c7a71a349ca1351b6b87d6ae4b59cf8aaf50658d772bd2a92c68ddc6d7b40098
                                                                                                      • Opcode Fuzzy Hash: fa8cfaef6d6be9c01772ca9eb0ac8ba259e1cc306ed4fd5266edbd3cbc4a8f44
                                                                                                      • Instruction Fuzzy Hash: 8F4102B0C0062DCBDB24DFA9C98479EBBB5BF49314F20806AD508AB251DB755949CF90
                                                                                                      Function 0563432E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 056343C1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775533793.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5630000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallProcWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2714655100-0
                                                                                                      • Opcode ID: d03534986d863248baf614c57e1d720762dd4599a933b7a5daee5e396d1be5b4
                                                                                                      • Instruction ID: 182ef53439c99e1fa7e0791084b8a638e06f7479a9ba969e5ca5fd9a0e3670a3
                                                                                                      • Opcode Fuzzy Hash: d03534986d863248baf614c57e1d720762dd4599a933b7a5daee5e396d1be5b4
                                                                                                      • Instruction Fuzzy Hash: CA3106B5A00205CFDB14CF99C489AAAFBF6FF88315F24C599D519AB321D774A841CF60
                                                                                                      Function 07C2AF70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C2B000
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3559483778-0
                                                                                                      • Opcode ID: 295eabf4c656ed46a728135f9298c48903d1f5ddf11a547ca2bd408eb1f34641
                                                                                                      • Instruction ID: 9f6cc61bf4898298a7b10cf481d54e6b91342838f73c52c5368035ab13725250
                                                                                                      • Opcode Fuzzy Hash: 295eabf4c656ed46a728135f9298c48903d1f5ddf11a547ca2bd408eb1f34641
                                                                                                      • Instruction Fuzzy Hash: DD2169B59003599FCB10CFAAC881BDEBBF5FF48310F10842AE959A7240D7789945DFA4
                                                                                                      Function 07C2AF68 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C2B000
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3559483778-0
                                                                                                      • Opcode ID: 3fbc96af14f46a3e5d8565926f3bf9c5e2a5722fb648f72548a5ffed11d67237
                                                                                                      • Instruction ID: 3ebe3d2e6abfc85cf88da6f7c16a515c60e322115bedb2911a642ee57f6027fd
                                                                                                      • Opcode Fuzzy Hash: 3fbc96af14f46a3e5d8565926f3bf9c5e2a5722fb648f72548a5ffed11d67237
                                                                                                      • Instruction Fuzzy Hash: 572146B59003199FCB10CFA9C881BEEBBF1FF48310F10882AE959A7240D7789955DB60
                                                                                                      Function 02F2D738 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F2D7C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 63c96d0a7d70d411ac6db5a2833008129ac3d4a1c4c96dbfb791fb8d9e7769ff
                                                                                                      • Instruction ID: 755835b1f59e59a258a82ccee17a43f7170617e7116e92e7695f8808dca4150e
                                                                                                      • Opcode Fuzzy Hash: 63c96d0a7d70d411ac6db5a2833008129ac3d4a1c4c96dbfb791fb8d9e7769ff
                                                                                                      • Instruction Fuzzy Hash: 012125B59003589FDB10CFAAD984ADEFFF4EB09320F14805AE954A7250C338A944CFA1
                                                                                                      Function 07C2A999 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C2AA1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContextThreadWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 983334009-0
                                                                                                      • Opcode ID: 51e9545a98f85beac05bb99d795e3cbb940bc4ff37452d0b028e27872dd6bc67
                                                                                                      • Instruction ID: f53f05bcdc7c62bef5b6e0705236c852e12d107da024babc9058b0161ac13062
                                                                                                      • Opcode Fuzzy Hash: 51e9545a98f85beac05bb99d795e3cbb940bc4ff37452d0b028e27872dd6bc67
                                                                                                      • Instruction Fuzzy Hash: 27213AB59002198FDB10DFAAC485BEEBBF4EF48324F14C429D459A7240CB789985CFA5
                                                                                                      Function 07C2B060 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C2B0E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 1726664587-0
                                                                                                      • Opcode ID: c19f46248f13ebd10ccd7994e8ea96f55b6150f3a95e1d4580a8da13f1ac3d5d
                                                                                                      • Instruction ID: f4e7aba39cca60194be2f886470534e9a16e9887e9cd0dc40a9a53c7d1eb133a
                                                                                                      • Opcode Fuzzy Hash: c19f46248f13ebd10ccd7994e8ea96f55b6150f3a95e1d4580a8da13f1ac3d5d
                                                                                                      • Instruction Fuzzy Hash: 802139B1D003599FCB10DFAAC880ADEFBF5FF48320F108429E559A7250DB789945DBA5
                                                                                                      Function 07C2A9A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C2AA1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContextThreadWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 983334009-0
                                                                                                      • Opcode ID: f4cbd1d4ac09827b1cbcb88b83269956d5f7a4b8111f2371367a44b6370f158f
                                                                                                      • Instruction ID: 8d1b1aea63bbdda497c3376ebc204bcfca19c3ba1e4947c1232fe4da46f17b47
                                                                                                      • Opcode Fuzzy Hash: f4cbd1d4ac09827b1cbcb88b83269956d5f7a4b8111f2371367a44b6370f158f
                                                                                                      • Instruction Fuzzy Hash: E72149B19003198FDB10DFAAC4857EEBBF4EF48324F10C429D459A7240CB789985CFA5
                                                                                                      Function 07C2B059 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C2B0E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 1726664587-0
                                                                                                      • Opcode ID: 33a9f0744c8c09d184ab5abc2e678850df82a2aa9f7af0320d855578fc6045f8
                                                                                                      • Instruction ID: 92e5951b9cd307d1d0403e966425c5b92d7d080406bec13096494797d0b185be
                                                                                                      • Opcode Fuzzy Hash: 33a9f0744c8c09d184ab5abc2e678850df82a2aa9f7af0320d855578fc6045f8
                                                                                                      • Instruction Fuzzy Hash: 852136B5D002599FCB10CFA9C980AEEBBF1FF48320F10842AE559A7250D7389941CB61
                                                                                                      Function 02F2D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F2D7C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: cd1d75e56984dd6c7c63f4673481e2b93f253a482a3bffa269eb96c7bad4f66a
                                                                                                      • Instruction ID: ce1fe6cee44c6e709973efa5f73a0a49f86c33948ae76ded31d023712e28d0fd
                                                                                                      • Opcode Fuzzy Hash: cd1d75e56984dd6c7c63f4673481e2b93f253a482a3bffa269eb96c7bad4f66a
                                                                                                      • Instruction Fuzzy Hash: 9421E4B59002589FDB10CF9AD584ADEBFF4EB48320F14841AE958A3310C378A944CFA5
                                                                                                      Function 07C2AEA8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C2AF1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: f3eb679fb52ac1696f2ec83b2ecb8d8b75fce45fdbc7f57adfa2f52724ff4fb4
                                                                                                      • Instruction ID: ad81fcb6dfc257f481c8c9b4e45bca9808e4feaa477d9102ccd6b8760b04d2da
                                                                                                      • Opcode Fuzzy Hash: f3eb679fb52ac1696f2ec83b2ecb8d8b75fce45fdbc7f57adfa2f52724ff4fb4
                                                                                                      • Instruction Fuzzy Hash: 371167B6800249CFCB10CFA9C845BDEBBF5EF48324F20881AE559A7250C7399951CFA1
                                                                                                      Function 07C2AEB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C2AF1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: 199479bd70dd9c81e8bfb2a3bddbe3506e12df31e9ed6521d2f87ce0d0042ce5
                                                                                                      • Instruction ID: 32df3a02553c6e5f666f04a10c053bc1bbe92527ad7a9eba1b18393df91fa553
                                                                                                      • Opcode Fuzzy Hash: 199479bd70dd9c81e8bfb2a3bddbe3506e12df31e9ed6521d2f87ce0d0042ce5
                                                                                                      • Instruction Fuzzy Hash: 431167B68002499FCB10DFAAC844BDEBFF5EF88324F10841AE559A7250C739A941CFA1
                                                                                                      Function 07C2A8E9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ResumeThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 947044025-0
                                                                                                      • Opcode ID: ee73325c15c561ec1e0795c9cf0bd22fa65ab9f18ca2931f6b1038b685906f44
                                                                                                      • Instruction ID: 6ac2d40774c0d0b20d8b49d24264bf7277688a08ddb7fb027cdcd66582260be1
                                                                                                      • Opcode Fuzzy Hash: ee73325c15c561ec1e0795c9cf0bd22fa65ab9f18ca2931f6b1038b685906f44
                                                                                                      • Instruction Fuzzy Hash: 191158B5900259CFDB20DFAAC8457EEFBF5EB88324F208429D459A7250CB38A545CFA5
                                                                                                      Function 07C2A8F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ResumeThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 947044025-0
                                                                                                      • Opcode ID: c1329878d264eb9ea93d8ed0096a480498361f3566073eed5c97182f0922bb4a
                                                                                                      • Instruction ID: 01489fd37c6f2cf76c9ab8e287a4377ecbad6bdba52ed3d7ad5f93667a695755
                                                                                                      • Opcode Fuzzy Hash: c1329878d264eb9ea93d8ed0096a480498361f3566073eed5c97182f0922bb4a
                                                                                                      • Instruction Fuzzy Hash: E9116AB19003598FCB10DFAAC4457DEFBF5EF88324F208419C459A7250CB38A545CF95
                                                                                                      Function 07C2F4E9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07C2F54D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 145af28923dc6bdca1bb6f612fe1a0be1349e5c44ecdcd79d6a417f6ef77837b
                                                                                                      • Instruction ID: 4babc89da7c36d8198c624f14e806ad2139b6a09cba6e537b3aabf6a5d7c4220
                                                                                                      • Opcode Fuzzy Hash: 145af28923dc6bdca1bb6f612fe1a0be1349e5c44ecdcd79d6a417f6ef77837b
                                                                                                      • Instruction Fuzzy Hash: 0B11F2B58002599FDB10DF9AD885BDEBFF8EB48324F10841AE558A7210C379A684CFA1
                                                                                                      Function 07C27C84 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07C2F54D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 95b437c9935736accbc74c44a8acca7ad3b05ec8d1dd1daab3fa7a2a3f5ba8f8
                                                                                                      • Instruction ID: 8ab3ee4e3f927b4d7f9f5468a22c2863838f96461aad1103ef40c75470a82bd2
                                                                                                      • Opcode Fuzzy Hash: 95b437c9935736accbc74c44a8acca7ad3b05ec8d1dd1daab3fa7a2a3f5ba8f8
                                                                                                      • Instruction Fuzzy Hash: 7D1106B580075DDFDB10DF9AC484BDEBBF8EB48324F108419E558A7200C375AA44CFA5
                                                                                                      Function 02F2B460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02F2B4C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 497a9bf5aca47fe4c88e11dba7b822671b00ceddf8935ff29826ddc228a45571
                                                                                                      • Instruction ID: a8e4be5fa33614f79200f9004ab84753a0f60d339b3f8a5932886a4b137e3f9d
                                                                                                      • Opcode Fuzzy Hash: 497a9bf5aca47fe4c88e11dba7b822671b00ceddf8935ff29826ddc228a45571
                                                                                                      • Instruction Fuzzy Hash: DA110FB5C002598FCB10CF9AC544BDEFBF4EB89224F10842AD959A7210C379A545CFA1
                                                                                                      Function 0954A7B9 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq
                                                                                                      • API String ID: 0-1245868
                                                                                                      • Opcode ID: 489a9be7ee5887c466ba8e88f8893a817b300816a75fa9babdb1594e43530634
                                                                                                      • Instruction ID: c34d58df9eedc738a8879b12e65ca658ebe1bf39e6e7b4c8318e02943a164ea3
                                                                                                      • Opcode Fuzzy Hash: 489a9be7ee5887c466ba8e88f8893a817b300816a75fa9babdb1594e43530634
                                                                                                      • Instruction Fuzzy Hash: 4B312630A05208AFDB559F75C8017AE7FB5FF86300F10C4A6E546DB280DB349E4ACB52
                                                                                                      Function 0954A7C8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq
                                                                                                      • API String ID: 0-1245868
                                                                                                      • Opcode ID: 1f897aa8555ed9bd3a551f315e2585bd3e35958e83fdeba93dad4a902f972cd4
                                                                                                      • Instruction ID: 5b5d43af12c3b7001f78b387e75d47788903b2cf94cf91738a836f976002d5fc
                                                                                                      • Opcode Fuzzy Hash: 1f897aa8555ed9bd3a551f315e2585bd3e35958e83fdeba93dad4a902f972cd4
                                                                                                      • Instruction Fuzzy Hash: 5121F630A04204AFD7859F759C42BBE3FBAFF81340F5084A5E946DA280DB349D4ACB52
                                                                                                      Function 0954FE7F Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q
                                                                                                      • API String ID: 0-1614139903
                                                                                                      • Opcode ID: 581102ca766d7f1c9d0022bd949dcbda73ab6ef16ff52f4717eac808240491c3
                                                                                                      • Instruction ID: ac94d81aae854e7670ef4f2412a7237a27595fecd4828cd05b3e2fbd9d6f9707
                                                                                                      • Opcode Fuzzy Hash: 581102ca766d7f1c9d0022bd949dcbda73ab6ef16ff52f4717eac808240491c3
                                                                                                      • Instruction Fuzzy Hash: 0D21C134E1020ACFEB04EFA5D9946EABB71FF84304F108214E512B7254DB707995CF90
                                                                                                      Function 0954FE90 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q
                                                                                                      • API String ID: 0-1614139903
                                                                                                      • Opcode ID: 2856075052be5eb95eb4e5316cc865d593dd7b776e2426b4fbaa75199954f642
                                                                                                      • Instruction ID: c0e7d3f937fca360f4f3a680658276eddd5399b95045c8f434b62c8c08e9d3f5
                                                                                                      • Opcode Fuzzy Hash: 2856075052be5eb95eb4e5316cc865d593dd7b776e2426b4fbaa75199954f642
                                                                                                      • Instruction Fuzzy Hash: 00218E34E1030A8FEB04EFA5D9545EABB71FF85704F108224E522B7294EB707995CF91
                                                                                                      Function 0954F570 Relevance: .2, Instructions: 239COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 01e4390046c1c43408f54117e45863c55845b36cde06079a2b5690105b618874
                                                                                                      • Instruction ID: 8d05b39f9efd5ba84ab85e15ec5b632eafbac91d994f62d1bba3ecd9590d9a95
                                                                                                      • Opcode Fuzzy Hash: 01e4390046c1c43408f54117e45863c55845b36cde06079a2b5690105b618874
                                                                                                      • Instruction Fuzzy Hash: 77915B75A002168FDB54DF6ED884AAEBBB1FF88704F158569E805EB3A1C734EC41CB91
                                                                                                      Function 0954AE40 Relevance: .1, Instructions: 141COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 40a7b9fa3995a477820ab989d26633115d8ef8c8cb8e1370a36113f77bd1c02e
                                                                                                      • Instruction ID: 0a5eb108b2271d3e0f4bed8358ac4037480ca265f14547d347211297577d6f9b
                                                                                                      • Opcode Fuzzy Hash: 40a7b9fa3995a477820ab989d26633115d8ef8c8cb8e1370a36113f77bd1c02e
                                                                                                      • Instruction Fuzzy Hash: 17512534A501189FCB94DF65D959AAD7BB6FB88315F118469F802EB3A0CB31AC40CF90
                                                                                                      Function 0954B5A7 Relevance: .1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8802307e9222ad09af78ee55b04612c6c78f5f92c5469a209880895d45226c7a
                                                                                                      • Instruction ID: 60ce735571c5e7ff0e0a8c3be75ac7824c7216e9d3f478e1ff5f18d4e2e61f7b
                                                                                                      • Opcode Fuzzy Hash: 8802307e9222ad09af78ee55b04612c6c78f5f92c5469a209880895d45226c7a
                                                                                                      • Instruction Fuzzy Hash: DC41283061011A9FCF159F65E895AAE7BB6FF84345F148429F8029B394DB34EC66CB90
                                                                                                      Function 095496E0 Relevance: .1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2f65cc907c5bcad40daca22492c3f22488dde2db963f4ca610c3834216f2825e
                                                                                                      • Instruction ID: 985cf7809cf80480e415c2c99332845e8f18c729ef3059913e8a1bfef83aa859
                                                                                                      • Opcode Fuzzy Hash: 2f65cc907c5bcad40daca22492c3f22488dde2db963f4ca610c3834216f2825e
                                                                                                      • Instruction Fuzzy Hash: A9413C75E052199FCB44CFAAD451AEEBBF2FF89300F10D46AE814E7251DB349A41CB90
                                                                                                      Function 0954FCD9 Relevance: .1, Instructions: 112COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 29fc7240aa2f1f5670fa9ff486b8253b4807a63ff0457a72401b7d130e9c0d06
                                                                                                      • Instruction ID: b5c80e9ed08b973567417bdc875ec7cd9cb7c479187202fa149a79d07d3825ad
                                                                                                      • Opcode Fuzzy Hash: 29fc7240aa2f1f5670fa9ff486b8253b4807a63ff0457a72401b7d130e9c0d06
                                                                                                      • Instruction Fuzzy Hash: 2441D135A003558BDB00DF18C48039A7762FF46318F4984B9DD0DBF296DBB67989CBA1
                                                                                                      Function 0954FCE8 Relevance: .1, Instructions: 110COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 68e6ff5ea81b6470372ff4056fa77dddcad0987dcbeffb760257590a757f6c68
                                                                                                      • Instruction ID: bf9c2720867ee04f31047e4b513ed1aef156f5f5906a69d94a07cd82f463ef35
                                                                                                      • Opcode Fuzzy Hash: 68e6ff5ea81b6470372ff4056fa77dddcad0987dcbeffb760257590a757f6c68
                                                                                                      • Instruction Fuzzy Hash: 2F41D435A003158BDB00DF28D48039A73A2FF46358F498475DD0DBF256CBB6B98ACBA1
                                                                                                      Function 0954F688 Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 532f86bb6483196d249da6c42161c7f354b4c57fd72c94c3e829718f6cfad71a
                                                                                                      • Instruction ID: 34f401c56d5027168743cfff4134ace9f657a455dd6cac585d47089dfcb5f27d
                                                                                                      • Opcode Fuzzy Hash: 532f86bb6483196d249da6c42161c7f354b4c57fd72c94c3e829718f6cfad71a
                                                                                                      • Instruction Fuzzy Hash: 1B412C75B001098FCB54CF6AD895A6EB7B1FF88714F158469E915DB3A1C734EC11CB90
                                                                                                      Function 095492D8 Relevance: .1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a56550bbf6d084b24312d92bee16df4940db025d2022ac255edf614dc52d534b
                                                                                                      • Instruction ID: 15c90d8a463036503e1505524d59b13bd66c16ef11175c0898d615397eddd741
                                                                                                      • Opcode Fuzzy Hash: a56550bbf6d084b24312d92bee16df4940db025d2022ac255edf614dc52d534b
                                                                                                      • Instruction Fuzzy Hash: 19313735E0120DEFCB05CFA9D9559EEBBB2FF89310F10846AE905A7360DB319946CB81
                                                                                                      Function 0BB40818 Relevance: .1, Instructions: 94COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1813849141.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_bb40000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: dbf778e6739bab1ef655ede5a9f3b41610b844dc5fd6ad1b3397af5886316fc9
                                                                                                      • Instruction ID: fdd3eb5b4e847469d447413b14f1926fe7c9b4b27adaa5d6e0bb3558ed59964b
                                                                                                      • Opcode Fuzzy Hash: dbf778e6739bab1ef655ede5a9f3b41610b844dc5fd6ad1b3397af5886316fc9
                                                                                                      • Instruction Fuzzy Hash: C6313370D09219CBDB00DFA9D9087FEBBF4BB4A301F4450AAD615B3241D7784A84EFA1
                                                                                                      Function 09549C39 Relevance: .1, Instructions: 93COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4f603bd70d4496170fb8bbd272e254ec6a019946de5ac7b1a85e79702306714b
                                                                                                      • Instruction ID: 96c5acb06c4da486ac49b45c3ae9426d722d60092a28b2f1d15e8cef00e962f8
                                                                                                      • Opcode Fuzzy Hash: 4f603bd70d4496170fb8bbd272e254ec6a019946de5ac7b1a85e79702306714b
                                                                                                      • Instruction Fuzzy Hash: 9B311275D00219AFCB04CFA9D859AEEFBB2FF49300F159069E505AB260C7759A90CFA0
                                                                                                      Function 0BB40828 Relevance: .1, Instructions: 91COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1813849141.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_bb40000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9610f13ecab844776adf231bd2db504e5a21d8ea0cb6b38dc79f9ef36d7cc115
                                                                                                      • Instruction ID: 385ef9fad7932236f57ddd9132cfa1a4073fc93ac4e60b41063a76da1eef495d
                                                                                                      • Opcode Fuzzy Hash: 9610f13ecab844776adf231bd2db504e5a21d8ea0cb6b38dc79f9ef36d7cc115
                                                                                                      • Instruction Fuzzy Hash: 7C311370D09219CBDB04EFA9C9087FEBBF4BB49301F4050AAD619B3241D7784A84EFA0
                                                                                                      Function 012DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1735605515.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12dd000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9f07800970bcfbc69f279d55ef3b6d60c19ac86a1d07088981798bec3b0d2553
                                                                                                      • Instruction ID: b2e0524271251b7981f15ebd21e7e9a6d6718850adbaf303f2a18dbcbf5309a5
                                                                                                      • Opcode Fuzzy Hash: 9f07800970bcfbc69f279d55ef3b6d60c19ac86a1d07088981798bec3b0d2553
                                                                                                      • Instruction Fuzzy Hash: 48216771550648DFCB01DF58E9C0F27BF65FB88318F20C169E9090B296C336D446CBA1
                                                                                                      Function 012DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1735605515.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12dd000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2df03d09850254efd1d8eece2833253a234c41f787c785c3598e0140efff478b
                                                                                                      • Instruction ID: d376aaa18f02ca059698407fb4a3e22b3c77fd3ce2109cb2a02784249d6b11be
                                                                                                      • Opcode Fuzzy Hash: 2df03d09850254efd1d8eece2833253a234c41f787c785c3598e0140efff478b
                                                                                                      • Instruction Fuzzy Hash: E1216775110648DFDB01DF98C9C0B6BBF65FB88324F20C16DE9090B296C336E446CBA1
                                                                                                      Function 09549E51 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1bf159bf5e04174f0e0e7c5563a3c5bc7dab404dcf5f26de361c33ce9bb1e97b
                                                                                                      • Instruction ID: 8560f10cc65c5425d6deb0ecf2855661addd5084ceb0e7543b3b0110ad32033c
                                                                                                      • Opcode Fuzzy Hash: 1bf159bf5e04174f0e0e7c5563a3c5bc7dab404dcf5f26de361c33ce9bb1e97b
                                                                                                      • Instruction Fuzzy Hash: 0F31B2B5D00209AFCB04CFA9D594AEEBFB1FF48350F248529E819E7250DB345A55CF50
                                                                                                      Function 0954B268 Relevance: .1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fd87f5ac6240865430ba521f45d6cfb4cc7ab5698c1ca67427af8a53530932f9
                                                                                                      • Instruction ID: 256e9e6e1f1b4cfa862109d48627bbc1f1faad6091f48b350201bff2f55d5543
                                                                                                      • Opcode Fuzzy Hash: fd87f5ac6240865430ba521f45d6cfb4cc7ab5698c1ca67427af8a53530932f9
                                                                                                      • Instruction Fuzzy Hash: F3216A35B0410A8FCB50DFAAD489A6E7BB1BF48314F158466E905DB365DA30E885CBA1
                                                                                                      Function 02E5D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1743732468.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2e5d000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b66047c0b0a167368f454b40b9c83f3944c94b644d365813cd09481a0bf2b0c7
                                                                                                      • Instruction ID: 0bc5d1c079e80802d9a75aa21490ff4f51b013b3d2065c03ebb825a235c5e31e
                                                                                                      • Opcode Fuzzy Hash: b66047c0b0a167368f454b40b9c83f3944c94b644d365813cd09481a0bf2b0c7
                                                                                                      • Instruction Fuzzy Hash: ED210479594204EFDB05DF54DAC0B26BBA5FB88318F20C66DEC0D4B256C376D446CA61
                                                                                                      Function 02E5D01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1743732468.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2e5d000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 79710964490776eea3c325f3fd44cc9eb319b39ffd848334f6b1db4a1041ad3e
                                                                                                      • Instruction ID: 0e4d87de644f2290431e9c22ad4f8afcb9dd31954a1bf4267a5fd4c69a8a9d73
                                                                                                      • Opcode Fuzzy Hash: 79710964490776eea3c325f3fd44cc9eb319b39ffd848334f6b1db4a1041ad3e
                                                                                                      • Instruction Fuzzy Hash: 0C21F271694200DFDB14DF14D9C4B26BBA6EF84318F20C569DD0A4B296C33AD847CA61
                                                                                                      Function 09549870 Relevance: .1, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8230a8095dce58da732b74b199aca703ad7d5a84070cbad2a7c1b67e6cb5d791
                                                                                                      • Instruction ID: f73457c09706f238b604c6e76ac1f08de68f9374d77ff38a3effc7f84838a009
                                                                                                      • Opcode Fuzzy Hash: 8230a8095dce58da732b74b199aca703ad7d5a84070cbad2a7c1b67e6cb5d791
                                                                                                      • Instruction Fuzzy Hash: E321D275D00209AFCB05CFA9D945ADEBBB2FF89310F10842AE915A7260DB716956CF80
                                                                                                      Function 02E5D005 Relevance: .1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1743732468.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2e5d000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f8707609a63c1c48567636c6cef7ec17425c5fb4c9fc7190e54e1cf5a114f9e3
                                                                                                      • Instruction ID: 4629fbe719a109be7caeaf1d8e15157c25dd7153806f631ba29a3823f7046f43
                                                                                                      • Opcode Fuzzy Hash: f8707609a63c1c48567636c6cef7ec17425c5fb4c9fc7190e54e1cf5a114f9e3
                                                                                                      • Instruction Fuzzy Hash: E52165755493C08FDB12CF24D994715BF71EF46218F28C5DAD8498F6A7C33A940ACB62
                                                                                                      Function 012DD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1735605515.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12dd000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction ID: 02042dc29d0042f5f53f6d94a7b57d1d3d56dbd51acb29ca2a778e13abf10fac
                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction Fuzzy Hash: 1E110376404284CFCB12CF54D5C4B16BF71FB84318F24C6A9D9090B257C336D45ACBA1
                                                                                                      Function 012DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1735605515.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12dd000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction ID: 319d6ff85855e77e2f328ef29497d486465e3203c59a839eb59647f03faf36d0
                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction Fuzzy Hash: BA110376404684DFDB12CF44D5C4B56BF71FB94324F24C2A9D9090B257C33AE45ACBA1
                                                                                                      Function 02E5D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1743732468.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2e5d000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                      • Instruction ID: ee7c73c6229b4f2b1ce78359ed329e4d7031a3fd1a461a25e7e6fd99fca66c97
                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                      • Instruction Fuzzy Hash: 6211BB79544280DFCB02CF50C9C4B15BBA1FB84218F24C6AEDC494B296C33AD45ACB61
                                                                                                      Function 09549DB0 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ed171b1eb35c1ae080836c50eae3c5b95616fddb5aa754a11c5fcd150d7c6a7d
                                                                                                      • Instruction ID: afe2f13d9771865c3bb3ddc4135273b89109def5ac761ad85449ee84b3db36ec
                                                                                                      • Opcode Fuzzy Hash: ed171b1eb35c1ae080836c50eae3c5b95616fddb5aa754a11c5fcd150d7c6a7d
                                                                                                      • Instruction Fuzzy Hash: 2B1128B1C062599FCB41CFB8C945A9EBFB1FF06300F1184AAE408E7261D7358A45CB91
                                                                                                      Function 012DD745 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1735605515.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12dd000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35571976e1e1922948470c4ebe1c7e8017d45ab6fdf1486c67f535c73876fb4b
                                                                                                      • Instruction ID: 302e77b40cf57df3379acb673c15360c15fb592fbaa6b4bc6a9ce18debfd4234
                                                                                                      • Opcode Fuzzy Hash: 35571976e1e1922948470c4ebe1c7e8017d45ab6fdf1486c67f535c73876fb4b
                                                                                                      • Instruction Fuzzy Hash: 9E012B310187889AF7144E69CD84B67BF9CDF45324F08C5AAEE090B2C6D679D841C6B1
                                                                                                      Function 09549DD0 Relevance: .0, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e1671f672b988f1a4dec3bcdcae84153fea570ba1529e32b818a086f2cc528cd
                                                                                                      • Instruction ID: 721fb59d0bfeb8edb9632dd73e922bdd75db80d303df9fbe2f876199b9932a50
                                                                                                      • Opcode Fuzzy Hash: e1671f672b988f1a4dec3bcdcae84153fea570ba1529e32b818a086f2cc528cd
                                                                                                      • Instruction Fuzzy Hash: B30116B5D01219EFCB40DFA8C545AAEBFF1FF48300F2084A9E508A7260E7358A90DF91
                                                                                                      Function 012DD744 Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1735605515.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12dd000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 91d1e30e727633a9db6807106efd21aed6b58efab41410d2d50854bf1db14a14
                                                                                                      • Instruction ID: bedd82f77350379edb2d45311009057035875fe06188f7c6675c7170478bc869
                                                                                                      • Opcode Fuzzy Hash: 91d1e30e727633a9db6807106efd21aed6b58efab41410d2d50854bf1db14a14
                                                                                                      • Instruction Fuzzy Hash: 39F0C2714087849EF7148E1ACC88B62FFA8EB41334F18C45AEE0C0B286C2799840CAB1
                                                                                                      Function 09549F49 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 950442b27cde2bd18ea9f2c8547066b2963d7e39c3006579903e3bd983fa7462
                                                                                                      • Instruction ID: ef879bc48d5f8088f9e1d1af8cc275e749316150486f38b5312801bbb43a5f18
                                                                                                      • Opcode Fuzzy Hash: 950442b27cde2bd18ea9f2c8547066b2963d7e39c3006579903e3bd983fa7462
                                                                                                      • Instruction Fuzzy Hash: 1BF09D79E002099FCB05CFA8E5556EDBBB0FB48210F204069E911B3340D73959528F20
                                                                                                      Function 0954B263 Relevance: .0, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 473e4c44eb9389c60513262c48732452f945a1d800f038b1b6daa5d15d240270
                                                                                                      • Instruction ID: d5f204f341beb12d638621d17ec24a5bc9feda310a375fa75dbbbfdeb17e449d
                                                                                                      • Opcode Fuzzy Hash: 473e4c44eb9389c60513262c48732452f945a1d800f038b1b6daa5d15d240270
                                                                                                      • Instruction Fuzzy Hash: 54E08631A14208ABCF506AA7E84E9AFBF6CEB442A5F448432FE05C1102EA70D458C5A4
                                                                                                      Function 0BB40958 Relevance: .0, Instructions: 20COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1813849141.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_bb40000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 22ef0169d3fe30db30bf6b7903286b669bdd84cb9b58689667269d37549b62bf
                                                                                                      • Instruction ID: 1caf4b165eb3cdf9e445dd19ddbd0ff432dfff757d930d8959fc9bee69a3cd1b
                                                                                                      • Opcode Fuzzy Hash: 22ef0169d3fe30db30bf6b7903286b669bdd84cb9b58689667269d37549b62bf
                                                                                                      • Instruction Fuzzy Hash: 0CE0867184915CEFCB14EBB8A4516AC7F74E742201F5081FAD44413281DB301A45E7A2
                                                                                                      Function 0954F538 Relevance: .0, Instructions: 13COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f8644aa86ff8e66d36f0afc1758752f78630b9093ac3ebe4706175cd625c0224
                                                                                                      • Instruction ID: 5f105fea785681942dd1b8d1686afff321afc7a1f5cad93d42498180d30ff5a8
                                                                                                      • Opcode Fuzzy Hash: f8644aa86ff8e66d36f0afc1758752f78630b9093ac3ebe4706175cd625c0224
                                                                                                      • Instruction Fuzzy Hash: 64D0123065430E9FDF946EBBE908B6E7AD8BF40299F80A436EC08C2151EB31D4A18958

                                                                                                      Non-executed Functions

                                                                                                      Function 0BB412A0 Relevance: .4, Instructions: 372COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1813849141.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_bb40000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7929c92c0d2c338a133a3a75cd328d3b29a63a952eec149c661b106c5d8008b7
                                                                                                      • Instruction ID: 3b1bbf1291a9605b24584cadc982e9a85a5657687297b12903388931a906e802
                                                                                                      • Opcode Fuzzy Hash: 7929c92c0d2c338a133a3a75cd328d3b29a63a952eec149c661b106c5d8008b7
                                                                                                      • Instruction Fuzzy Hash: 53D1CD30B016108FDB25DB7AC550BAE7BF6EF89700F1444ADD20AEB2A0DB35E846DB51
                                                                                                      Function 05630088 Relevance: .3, Instructions: 315COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775533793.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5630000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0415bf34ba130ca46346c4fbc7c1745f13306fd42ca1ab9dacd5db90c7ab92a7
                                                                                                      • Instruction ID: 43dd008f66b011fccd094236c8219d2be8c89fa77282ff2b6404a40ee61fa507
                                                                                                      • Opcode Fuzzy Hash: 0415bf34ba130ca46346c4fbc7c1745f13306fd42ca1ab9dacd5db90c7ab92a7
                                                                                                      • Instruction Fuzzy Hash: 7912B7F8C857498BD310EF65E84C189BBF1BB71398BD04A19D2621E2E1D7F8156ACF44
                                                                                                      Function 07C285B8 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 843f2bb062c877f5d97cb120d95f5b2f3802bf0eb2091e008e9cdfc0005fd152
                                                                                                      • Instruction ID: ae222dfbe383f1fdc47df197e2f7682eec8785e4e9e4d728342a102cdf2b070d
                                                                                                      • Opcode Fuzzy Hash: 843f2bb062c877f5d97cb120d95f5b2f3802bf0eb2091e008e9cdfc0005fd152
                                                                                                      • Instruction Fuzzy Hash: 31E1C9B4E001198FCB14DFA9C5809AEFBF2FF89305F248169E414AB356D735A982DF61
                                                                                                      Function 07C2A0C8 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 126b538c59eaea480f65af4443b321eed214859849815bacc72788b131a3f55a
                                                                                                      • Instruction ID: bc62be118635564b756d11be64035d0b46f02d9a28ff39bd4824572c9dec82c3
                                                                                                      • Opcode Fuzzy Hash: 126b538c59eaea480f65af4443b321eed214859849815bacc72788b131a3f55a
                                                                                                      • Instruction Fuzzy Hash: 80E1C8B4E041198FCB14CFA9C5809AEBBF2FF89304F24D169D814AB356D735A982DF61
                                                                                                      Function 07C28E28 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a334ab713e14a7c97204599f2abbce945d0c0bccec16e5238ddb728c3f77f7c1
                                                                                                      • Instruction ID: c16ffd70384b5104c5b2de05523265324a4d8b162eeb2533fbf580aeacd94b91
                                                                                                      • Opcode Fuzzy Hash: a334ab713e14a7c97204599f2abbce945d0c0bccec16e5238ddb728c3f77f7c1
                                                                                                      • Instruction Fuzzy Hash: F4E1B9B4E001198FCB14DFA9C5809AEFBF2FF89304F248169D415AB356D735A982DF61
                                                                                                      Function 07C2AA78 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 944974d3d9c8cd52689495a1fe74e8f676317c987f0a6a1bab528c363e1f9d64
                                                                                                      • Instruction ID: 079afb6959b1d37c2f4f2323110cbc0ba538e1dd96926ffe071dc1ea07f175e1
                                                                                                      • Opcode Fuzzy Hash: 944974d3d9c8cd52689495a1fe74e8f676317c987f0a6a1bab528c363e1f9d64
                                                                                                      • Instruction Fuzzy Hash: B3E1B8B4E0011A8FCB14DFA9C5809AEBBF2FF89305F24C169D814AB356D735A942DF61
                                                                                                      Function 07C289F0 Relevance: .3, Instructions: 312COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 40ebb9c0848ff9865eafdb9f5cf7f726eab1026116b4d5839e242ca7890c44d1
                                                                                                      • Instruction ID: abf86f306759282448ec75ce369b3bfcdb7827cbf61693adcf163ac3e5b978d4
                                                                                                      • Opcode Fuzzy Hash: 40ebb9c0848ff9865eafdb9f5cf7f726eab1026116b4d5839e242ca7890c44d1
                                                                                                      • Instruction Fuzzy Hash: B2E1C9B4E002298FCB14DFA9C5809AEBBF2FF49304F248169D415AB355D735AD42DF61
                                                                                                      Function 0567D5AB Relevance: .3, Instructions: 265COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775934568.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5670000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b705ab5ff3b92cd012ba1ded621d157a21a3ac74ec68c52df206c5f5f0346367
                                                                                                      • Instruction ID: e0e840764d1f5ed89dd26b94aad65d9538f53d507e827b3ad324c728d78d2f84
                                                                                                      • Opcode Fuzzy Hash: b705ab5ff3b92cd012ba1ded621d157a21a3ac74ec68c52df206c5f5f0346367
                                                                                                      • Instruction Fuzzy Hash: 9CD1DA31D2065A8ACB10EB64D990A9DF7B1FF95300F60CB9AD50977221EF70AEC9CB51
                                                                                                      Function 0567D5B0 Relevance: .3, Instructions: 264COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775934568.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5670000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0ce3edf95af4285f8fba47324c7d8d5aab6e57ae56cfd63a4a22ef0640a789ac
                                                                                                      • Instruction ID: b75dc154f691699c9224d7b64c07c03808bc2b82d7011143603ad4783df8bbd3
                                                                                                      • Opcode Fuzzy Hash: 0ce3edf95af4285f8fba47324c7d8d5aab6e57ae56cfd63a4a22ef0640a789ac
                                                                                                      • Instruction Fuzzy Hash: C5D1DA31D2065A8ACB10EB64D990A9DF7B1FF95300F60CB9AD50977221EF70AEC9CB51
                                                                                                      Function 02F2E0B4 Relevance: .3, Instructions: 264COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1747401301.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2f20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8ce8a5a36aff6234851df7b0a8b5eba59f98a5a0a3a34b8871de19ed05a9f27b
                                                                                                      • Instruction ID: d86749b05512e2a9caabca464aa7f59ba8a665ba2146f16f01c61a6b40ff7542
                                                                                                      • Opcode Fuzzy Hash: 8ce8a5a36aff6234851df7b0a8b5eba59f98a5a0a3a34b8871de19ed05a9f27b
                                                                                                      • Instruction Fuzzy Hash: 9FA19032E102298FCF09DFB4C84459EB7B2FF86344B24457AE905AB265DB31E919CF80
                                                                                                      Function 0563007B Relevance: .2, Instructions: 221COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1775533793.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5630000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a1eefb1a7b737268bd4a6633044cdb2da3af0ea0ab4f3a4a63fa083dd2e44b82
                                                                                                      • Instruction ID: 178a3aea127bf057c784d4cb3d457526a99640919f2c4d2b4cdc223edae305db
                                                                                                      • Opcode Fuzzy Hash: a1eefb1a7b737268bd4a6633044cdb2da3af0ea0ab4f3a4a63fa083dd2e44b82
                                                                                                      • Instruction Fuzzy Hash: 00C11CB8C8474A8BD710EF74E848189BBF1BFB5394B904A19D2626F2D0DBF4156ACF44
                                                                                                      Function 07C20B98 Relevance: .2, Instructions: 214COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 83edb67769edf5b2c269b734284cdcfe7d5b41427124e0d6fb61b37cc2a98f23
                                                                                                      • Instruction ID: d92c6bb48e29deffe9669fed39f22679f256ca796c9abe98d5174365bb02e700
                                                                                                      • Opcode Fuzzy Hash: 83edb67769edf5b2c269b734284cdcfe7d5b41427124e0d6fb61b37cc2a98f23
                                                                                                      • Instruction Fuzzy Hash: 0B91D2B0D0522DDFDB24CFAAD8847EDBBB5BF4A300F10916AD409A7261DB745A86DF01
                                                                                                      Function 07C28E18 Relevance: .1, Instructions: 129COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bcab85b9d713c9878a18e1e9c993cdea2cbf0da49dc1e4cde7bb81c310181eb6
                                                                                                      • Instruction ID: 448f5691e7acaa75b2f86758c79f24c819f7f858f84983b0711b23c91233c716
                                                                                                      • Opcode Fuzzy Hash: bcab85b9d713c9878a18e1e9c993cdea2cbf0da49dc1e4cde7bb81c310181eb6
                                                                                                      • Instruction Fuzzy Hash: 3451ECB4E002198FDB14CFA9C9805AEFBF2BF89304F24C169D418A7356D7359A42CFA1
                                                                                                      Function 07C2E52E Relevance: .0, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1790728340.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7c20000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bf771745220f4709da7b845ae73f5b71c10b88567733d9a5b04d3a8f0fa60d5d
                                                                                                      • Instruction ID: 204e5f90c493ad56f38aa903b06f1d9475ae51deee38bf6999be72c2d7cd9821
                                                                                                      • Opcode Fuzzy Hash: bf771745220f4709da7b845ae73f5b71c10b88567733d9a5b04d3a8f0fa60d5d
                                                                                                      • Instruction Fuzzy Hash: 91C04CA699D124E6C700499A601D0F8F73CD28F122F003052D11EB2015C26041169554
                                                                                                      Function 095451C1 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                      • API String ID: 0-4202989938
                                                                                                      • Opcode ID: 932082b919f94869455d7ce20abc6d0bb54d31cc74298e1c539457b120836a59
                                                                                                      • Instruction ID: 10bc62bf42a81db38fa9489c66421bc2a5d52c36c104bc296706cb84900e6d6b
                                                                                                      • Opcode Fuzzy Hash: 932082b919f94869455d7ce20abc6d0bb54d31cc74298e1c539457b120836a59
                                                                                                      • Instruction Fuzzy Hash: B0213670A4110A9FCB08EFA9D9516AEBBB2FF94704F50856981056B364EF306D8A8B91
                                                                                                      Function 095451D0 Relevance: 6.3, Strings: 5, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                      • API String ID: 0-4202989938
                                                                                                      • Opcode ID: 6cb747caae1c1b335eabe4e07439f98acf5e11706271c3948bf19eb0a6dbb3d8
                                                                                                      • Instruction ID: 7a44c299f25ad6f75bcc377471925550295ad8dc171828de357f3445bb73fdb2
                                                                                                      • Opcode Fuzzy Hash: 6cb747caae1c1b335eabe4e07439f98acf5e11706271c3948bf19eb0a6dbb3d8
                                                                                                      • Instruction Fuzzy Hash: F221E270E4110A9FCB0CEFA9D5505EEBBB2FF85704F50856981456B274EF306D898B92
                                                                                                      Function 0954EB20 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1796348096.0000000009540000.00000040.00000800.00020000.00000000.sdmp, Offset: 09540000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_9540000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$$^q
                                                                                                      • API String ID: 0-296639492
                                                                                                      • Opcode ID: 37a95b30daf0d6255d50745caea9b7ef5f8e209776723e987e7f72fba1817e40
                                                                                                      • Instruction ID: 5602eb3fceef83e768e10aa0576285cbcf46b5acb33535cfad2ddcde5e334c7d
                                                                                                      • Opcode Fuzzy Hash: 37a95b30daf0d6255d50745caea9b7ef5f8e209776723e987e7f72fba1817e40
                                                                                                      • Instruction Fuzzy Hash: 934183307805148FCB699F7E889A63E3BE7BFC8B447294869E107CB364DE25DC4A8751

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:7.9%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:89
                                                                                                      Total number of Limit Nodes:7
                                                                                                      execution_graph 14359 30c4668 14360 30c4676 14359->14360 14365 30c6de0 14360->14365 14363 30c4704 14366 30c6e05 14365->14366 14374 30c6edf 14366->14374 14378 30c6ef0 14366->14378 14367 30c46e9 14370 30c421c 14367->14370 14371 30c4227 14370->14371 14386 30c8560 14371->14386 14373 30c8806 14373->14363 14375 30c6f17 14374->14375 14376 30c6ff4 14375->14376 14382 30c6414 14375->14382 14380 30c6f17 14378->14380 14379 30c6ff4 14379->14379 14380->14379 14381 30c6414 CreateActCtxA 14380->14381 14381->14379 14383 30c7370 CreateActCtxA 14382->14383 14385 30c7433 14383->14385 14387 30c856b 14386->14387 14390 30c8580 14387->14390 14389 30c88dd 14389->14373 14391 30c858b 14390->14391 14394 30c85b0 14391->14394 14393 30c89ba 14393->14389 14395 30c85bb 14394->14395 14398 30c85e0 14395->14398 14397 30c8aad 14397->14393 14399 30c85eb 14398->14399 14401 30c9e93 14399->14401 14405 30cbed1 14399->14405 14400 30c9ed1 14400->14397 14401->14400 14411 30cdf70 14401->14411 14416 30cdf60 14401->14416 14406 30cbeda 14405->14406 14408 30cbe91 14405->14408 14421 30cbf08 14406->14421 14424 30cbef8 14406->14424 14407 30cbee6 14407->14401 14408->14401 14413 30cdf91 14411->14413 14412 30cdfb5 14412->14400 14413->14412 14432 30ce110 14413->14432 14436 30ce120 14413->14436 14418 30cdf70 14416->14418 14417 30cdfb5 14417->14400 14418->14417 14419 30ce110 3 API calls 14418->14419 14420 30ce120 3 API calls 14418->14420 14419->14417 14420->14417 14427 30cbff0 14421->14427 14422 30cbf17 14422->14407 14425 30cbf17 14424->14425 14426 30cbff0 GetModuleHandleW 14424->14426 14425->14407 14426->14425 14428 30cc034 14427->14428 14429 30cc011 14427->14429 14428->14422 14429->14428 14430 30cc238 GetModuleHandleW 14429->14430 14431 30cc265 14430->14431 14431->14422 14433 30ce120 14432->14433 14434 30ce166 14433->14434 14440 30cc464 14433->14440 14434->14412 14437 30ce12d 14436->14437 14438 30ce166 14437->14438 14439 30cc464 3 API calls 14437->14439 14438->14412 14439->14438 14441 30cc46f 14440->14441 14443 30ce1d8 14441->14443 14444 30cc498 14441->14444 14443->14443 14445 30cc4a3 14444->14445 14446 30c85e0 3 API calls 14445->14446 14447 30ce247 14446->14447 14448 30ce256 14447->14448 14451 30ce2b0 14447->14451 14455 30ce2c0 14447->14455 14448->14443 14452 30ce2ee 14451->14452 14453 30ce3ba KiUserCallbackDispatcher 14452->14453 14454 30ce3bf 14452->14454 14453->14454 14457 30ce2ee 14455->14457 14456 30ce3bf 14457->14456 14458 30ce3ba KiUserCallbackDispatcher 14457->14458 14458->14456 14459 30c6540 14460 30c6586 14459->14460 14464 30c670f 14460->14464 14468 30c6720 14460->14468 14461 30c6673 14465 30c674e 14464->14465 14466 30c6713 14464->14466 14465->14461 14471 30c611c 14466->14471 14469 30c611c DuplicateHandle 14468->14469 14470 30c674e 14469->14470 14470->14461 14472 30c6788 DuplicateHandle 14471->14472 14474 30c681e 14472->14474 14474->14465

                                                                                                      Executed Functions

                                                                                                      Function 030CBFF0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 558 30cbff0-30cc00f 559 30cc03b-30cc03f 558->559 560 30cc011-30cc01e call 30caf60 558->560 561 30cc041-30cc04b 559->561 562 30cc053-30cc094 559->562 567 30cc034 560->567 568 30cc020 560->568 561->562 569 30cc096-30cc09e 562->569 570 30cc0a1-30cc0af 562->570 567->559 613 30cc026 call 30cc698 568->613 614 30cc026 call 30cc689 568->614 569->570 571 30cc0b1-30cc0b6 570->571 572 30cc0d3-30cc0d5 570->572 575 30cc0b8-30cc0bf call 30caf6c 571->575 576 30cc0c1 571->576 574 30cc0d8-30cc0df 572->574 573 30cc02c-30cc02e 573->567 577 30cc170-30cc230 573->577 578 30cc0ec-30cc0f3 574->578 579 30cc0e1-30cc0e9 574->579 581 30cc0c3-30cc0d1 575->581 576->581 608 30cc238-30cc263 GetModuleHandleW 577->608 609 30cc232-30cc235 577->609 582 30cc0f5-30cc0fd 578->582 583 30cc100-30cc109 call 30caf7c 578->583 579->578 581->574 582->583 589 30cc10b-30cc113 583->589 590 30cc116-30cc11b 583->590 589->590 591 30cc11d-30cc124 590->591 592 30cc139-30cc146 590->592 591->592 594 30cc126-30cc136 call 30caf8c call 30caf9c 591->594 598 30cc148-30cc166 592->598 599 30cc169-30cc16f 592->599 594->592 598->599 610 30cc26c-30cc280 608->610 611 30cc265-30cc26b 608->611 609->608 611->610 613->573 614->573
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 030CC256
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1774046016.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_30c0000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 55168bef3685e22ab27e9e1d0b44a4477be87fb63db9be3a80d1bb412053de6f
                                                                                                      • Instruction ID: 11e46c8090316a9b1e741ad71d7b610f14fd019347a9e031b4fcf32486504f0e
                                                                                                      • Opcode Fuzzy Hash: 55168bef3685e22ab27e9e1d0b44a4477be87fb63db9be3a80d1bb412053de6f
                                                                                                      • Instruction Fuzzy Hash: 458179B0A11B458FE764DF69C44079ABBF1FF88300F148A2DD48ADBA50D775E946CB90
                                                                                                      Function 030C6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 615 30c6414-30c7431 CreateActCtxA 618 30c743a-30c7494 615->618 619 30c7433-30c7439 615->619 626 30c7496-30c7499 618->626 627 30c74a3-30c74a7 618->627 619->618 626->627 628 30c74b8 627->628 629 30c74a9-30c74b5 627->629 631 30c74b9 628->631 629->628 631->631
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 030C7421
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1774046016.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_30c0000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: b2c964ab58a879514be57fb600c760b2efa72b34981162c271bca60716b23c89
                                                                                                      • Instruction ID: a44e972998c1eb4285c4b92bf830dce83fd48d3240795e2b4072877ac1d8367e
                                                                                                      • Opcode Fuzzy Hash: b2c964ab58a879514be57fb600c760b2efa72b34981162c271bca60716b23c89
                                                                                                      • Instruction Fuzzy Hash: E641DDB0C00619CFDB24DFA9C844BDEBBF6BF49704F24806AD408AB265DB756985CF91
                                                                                                      Function 030C7364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 632 30c7364-30c7431 CreateActCtxA 634 30c743a-30c7494 632->634 635 30c7433-30c7439 632->635 642 30c7496-30c7499 634->642 643 30c74a3-30c74a7 634->643 635->634 642->643 644 30c74b8 643->644 645 30c74a9-30c74b5 643->645 647 30c74b9 644->647 645->644 647->647
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 030C7421
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1774046016.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_30c0000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 00cdf9bd2cfa015a19b302c58eeacc09acff3e9e69f6f1e9df23000aeee1da2e
                                                                                                      • Instruction ID: b7be6f8943af12e7007a137c65f7c36294f4704fb6c8133b47c3d3e43acc1255
                                                                                                      • Opcode Fuzzy Hash: 00cdf9bd2cfa015a19b302c58eeacc09acff3e9e69f6f1e9df23000aeee1da2e
                                                                                                      • Instruction Fuzzy Hash: 0841F1B0C00659CFDB24CFA9C944BCEBBF5BF49304F24806AD448AB255DB755949CF91
                                                                                                      Function 030C6780 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 648 30c6780-30c67dc 651 30c67df-30c681c DuplicateHandle 648->651 652 30c681e-30c6824 651->652 653 30c6825-30c6842 651->653 652->653
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030C674E,?,?,?,?,?), ref: 030C680F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1774046016.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_30c0000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 74ca1920a26ad05af018b1cc2955dcfb998211b2ddc37b4447193d39286350ea
                                                                                                      • Instruction ID: f45134db8bfdcea362e11d2bbe6ba1d4d24c8592239800cdae9d664467f2323f
                                                                                                      • Opcode Fuzzy Hash: 74ca1920a26ad05af018b1cc2955dcfb998211b2ddc37b4447193d39286350ea
                                                                                                      • Instruction Fuzzy Hash: 8D2148B1910248DFCB10CFA9D884AEEBFF4FB08320F14855AE854A3250D379A944CF65
                                                                                                      Function 030C611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 656 30c611c-30c681c DuplicateHandle 659 30c681e-30c6824 656->659 660 30c6825-30c6842 656->660 659->660
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030C674E,?,?,?,?,?), ref: 030C680F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1774046016.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_30c0000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 2247520220d95ab1362bff5dea485d6aa8e6c4fa1aa093fabbc553d4687895e6
                                                                                                      • Instruction ID: d32f34ecb7472bb96b25d8d13c60a15b3baac2e7e3b77aba687106689d0e910d
                                                                                                      • Opcode Fuzzy Hash: 2247520220d95ab1362bff5dea485d6aa8e6c4fa1aa093fabbc553d4687895e6
                                                                                                      • Instruction Fuzzy Hash: 212103B59002489FDB10CF9AD984AEEBBF4FB48320F14841AE918A3350D375A944CFA1
                                                                                                      Function 030CC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 663 30cc1f0-30cc230 664 30cc238-30cc263 GetModuleHandleW 663->664 665 30cc232-30cc235 663->665 666 30cc26c-30cc280 664->666 667 30cc265-30cc26b 664->667 665->664 667->666
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 030CC256
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1774046016.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_30c0000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: ba106e690039f631b7b9d0e5197a64e616fb876f7fa7466098c895e116085a0a
                                                                                                      • Instruction ID: 26559bf80e527320bb41ded21019e1c6e04af6350b8cf842b54c1830e66004b4
                                                                                                      • Opcode Fuzzy Hash: ba106e690039f631b7b9d0e5197a64e616fb876f7fa7466098c895e116085a0a
                                                                                                      • Instruction Fuzzy Hash: 731113B5C003498FDB10DF9AC444ADEFBF4EB89310F14841AD419B7220C375A545CFA1
                                                                                                      Function 0137D01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1764939609.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_137d000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48b122d6f90ae9d303157eaf45f326e5e489f9e0df0358e50854bb09eb120f70
                                                                                                      • Instruction ID: 4ea371ee59020f9a6caca5cb1c1c1eade84d41555421f44eccc90d5db76454ab
                                                                                                      • Opcode Fuzzy Hash: 48b122d6f90ae9d303157eaf45f326e5e489f9e0df0358e50854bb09eb120f70
                                                                                                      • Instruction Fuzzy Hash: 90212271604204DFCB26DF58D9C4B26BFA5FF88318F20C56DD80A4B256C33AD447CA61
                                                                                                      Function 0137D006 Relevance: .1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.1764939609.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_137d000_RFQ.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2acd7d25fdb007b59164fbbda65e874bca87610e1a6f4c37271680729a1002ef
                                                                                                      • Instruction ID: 107f34f9ee7074f8d3fcfa9711080b1b6fbe4006fb59b0b19cf80e701eb46d62
                                                                                                      • Opcode Fuzzy Hash: 2acd7d25fdb007b59164fbbda65e874bca87610e1a6f4c37271680729a1002ef
                                                                                                      • Instruction Fuzzy Hash: A7216F755093808FDB13CF64D994715BF71EF46218F28C5EAD8498F6A7C33A980ACB62

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:10%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:247
                                                                                                      Total number of Limit Nodes:7
                                                                                                      execution_graph 45751 4e97dd8 45752 4e97e05 45751->45752 45805 4e97804 45752->45805 45754 4e97e67 45809 4e97814 45754->45809 45756 4e97e99 45757 4e97814 CreateWindowExW 45756->45757 45758 4e97ecb 45757->45758 45759 4e97814 CreateWindowExW 45758->45759 45760 4e97efd 45759->45760 45761 4e97814 CreateWindowExW 45760->45761 45762 4e97f2f 45761->45762 45763 4e97814 CreateWindowExW 45762->45763 45764 4e97f61 45763->45764 45815 4e97824 45764->45815 45767 4e97824 CreateWindowExW 45768 4e97fc5 45767->45768 45769 4e97824 CreateWindowExW 45768->45769 45770 4e97ff7 45769->45770 45771 4e97824 CreateWindowExW 45770->45771 45772 4e98029 45771->45772 45773 4e97824 CreateWindowExW 45772->45773 45774 4e9805b 45773->45774 45775 4e97814 CreateWindowExW 45774->45775 45776 4e9808d 45775->45776 45777 4e97814 CreateWindowExW 45776->45777 45778 4e980bf 45777->45778 45779 4e97814 CreateWindowExW 45778->45779 45780 4e980f1 45779->45780 45781 4e97814 CreateWindowExW 45780->45781 45782 4e98123 45781->45782 45783 4e97824 CreateWindowExW 45782->45783 45784 4e98155 45783->45784 45785 4e97824 CreateWindowExW 45784->45785 45786 4e98187 45785->45786 45787 4e97824 CreateWindowExW 45786->45787 45788 4e985a1 45787->45788 45789 4e97824 CreateWindowExW 45788->45789 45790 4e985d3 45789->45790 45791 4e97804 CreateWindowExW 45790->45791 45792 4e98605 45791->45792 45793 4e97814 CreateWindowExW 45792->45793 45794 4e98637 45793->45794 45795 4e97814 CreateWindowExW 45794->45795 45796 4e98669 45795->45796 45797 4e97814 CreateWindowExW 45796->45797 45798 4e9869b 45797->45798 45799 4e97824 CreateWindowExW 45798->45799 45800 4e986cd 45799->45800 45801 4e97824 CreateWindowExW 45800->45801 45802 4e986ff 45801->45802 45803 4e97824 CreateWindowExW 45802->45803 45804 4e98731 45803->45804 45806 4e9780f 45805->45806 45819 4e97a28 45806->45819 45808 4e9c0fb 45808->45754 45810 4e9781f 45809->45810 45811 4e9ca3b 45810->45811 45812 f45e04 CreateWindowExW 45810->45812 45813 f487b9 CreateWindowExW 45810->45813 45814 f487cb CreateWindowExW 45810->45814 45811->45756 45812->45811 45813->45811 45814->45811 45816 4e9782f 45815->45816 45817 4e97c94 CreateWindowExW 45816->45817 45818 4e97f93 45817->45818 45818->45767 45820 4e97a33 45819->45820 45822 f45e04 CreateWindowExW 45820->45822 45823 f487b9 CreateWindowExW 45820->45823 45824 f487cb CreateWindowExW 45820->45824 45821 4e9c1ec 45821->45808 45822->45821 45823->45821 45824->45821 45689 bfd01c 45690 bfd034 45689->45690 45691 bfd08e 45690->45691 45696 4e91ee8 45690->45696 45700 4e90b1c 45690->45700 45709 4e92c48 45690->45709 45718 4e91ed8 45690->45718 45697 4e91eec 45696->45697 45698 4e90b1c CallWindowProcW 45697->45698 45699 4e91f2f 45698->45699 45699->45691 45703 4e90b27 45700->45703 45701 4e92cb9 45738 4e90c44 45701->45738 45703->45701 45704 4e92ca9 45703->45704 45722 4e92eac 45704->45722 45728 4e92dd3 45704->45728 45733 4e92de0 45704->45733 45705 4e92cb7 45710 4e92c58 45709->45710 45711 4e92cb9 45710->45711 45714 4e92ca9 45710->45714 45712 4e90c44 CallWindowProcW 45711->45712 45713 4e92cb7 45712->45713 45715 4e92eac CallWindowProcW 45714->45715 45716 4e92de0 CallWindowProcW 45714->45716 45717 4e92dd3 CallWindowProcW 45714->45717 45715->45713 45716->45713 45717->45713 45719 4e91ee8 45718->45719 45720 4e90b1c CallWindowProcW 45719->45720 45721 4e91f2f 45720->45721 45721->45691 45723 4e92e6a 45722->45723 45724 4e92eba 45722->45724 45742 4e92e98 45723->45742 45745 4e92e90 45723->45745 45725 4e92e80 45725->45705 45729 4e92df4 45728->45729 45731 4e92e98 CallWindowProcW 45729->45731 45732 4e92e90 CallWindowProcW 45729->45732 45730 4e92e80 45730->45705 45731->45730 45732->45730 45735 4e92df4 45733->45735 45734 4e92e80 45734->45705 45736 4e92e98 CallWindowProcW 45735->45736 45737 4e92e90 CallWindowProcW 45735->45737 45736->45734 45737->45734 45739 4e90c4f 45738->45739 45740 4e9439a CallWindowProcW 45739->45740 45741 4e94349 45739->45741 45740->45741 45741->45705 45743 4e92ea9 45742->45743 45748 4e942d2 45742->45748 45743->45725 45746 4e92ea9 45745->45746 45747 4e942d2 CallWindowProcW 45745->45747 45746->45725 45747->45746 45749 4e90c44 CallWindowProcW 45748->45749 45750 4e942ea 45749->45750 45750->45743 45532 4e9d620 45533 4e9d630 45532->45533 45536 4e97c94 45533->45536 45535 4e9d63f 45537 4e97c9f 45536->45537 45538 4e9d672 45537->45538 45542 f45e04 45537->45542 45547 f487cb 45537->45547 45552 f487b9 45537->45552 45538->45535 45543 f45e0f 45542->45543 45544 f48ac9 45543->45544 45557 f4d230 45543->45557 45562 f4d221 45543->45562 45544->45538 45549 f48803 45547->45549 45548 f48ac9 45548->45538 45549->45548 45550 f4d230 CreateWindowExW 45549->45550 45551 f4d221 CreateWindowExW 45549->45551 45550->45548 45551->45548 45554 f487bd 45552->45554 45553 f48ac9 45553->45538 45554->45553 45555 f4d230 CreateWindowExW 45554->45555 45556 f4d221 CreateWindowExW 45554->45556 45555->45553 45556->45553 45559 f4d234 45557->45559 45558 f4d275 45558->45544 45559->45558 45567 f4d3e0 45559->45567 45571 f4d3cf 45559->45571 45564 f4d230 45562->45564 45563 f4d275 45563->45544 45564->45563 45565 f4d3e0 CreateWindowExW 45564->45565 45566 f4d3cf CreateWindowExW 45564->45566 45565->45563 45566->45563 45568 f4d3ed 45567->45568 45570 f4d427 45568->45570 45575 f4cd18 45568->45575 45570->45558 45572 f4d3ed 45571->45572 45573 f4d427 45572->45573 45574 f4cd18 CreateWindowExW 45572->45574 45573->45558 45574->45573 45576 f4cd23 45575->45576 45578 f4dd38 45576->45578 45579 f4ce44 45576->45579 45578->45578 45580 f4ce4f 45579->45580 45581 f45e04 CreateWindowExW 45580->45581 45582 f4dda7 45581->45582 45586 f4fb20 45582->45586 45592 f4fb08 45582->45592 45583 f4dde1 45583->45578 45588 f4fb51 45586->45588 45589 f4fc51 45586->45589 45587 f4fb5d 45587->45583 45588->45587 45597 4e90e00 45588->45597 45602 4e90e10 45588->45602 45589->45583 45593 f4fb17 45592->45593 45594 f4faf6 45592->45594 45593->45594 45595 4e90e00 CreateWindowExW 45593->45595 45596 4e90e10 CreateWindowExW 45593->45596 45594->45583 45595->45594 45596->45594 45598 4e90e3b 45597->45598 45599 4e90eea 45598->45599 45607 4e91ce0 45598->45607 45610 4e91bd3 45598->45610 45604 4e90e3b 45602->45604 45603 4e90eea 45603->45603 45604->45603 45605 4e91ce0 CreateWindowExW 45604->45605 45606 4e91bd3 CreateWindowExW 45604->45606 45605->45603 45606->45603 45615 4e90af0 45607->45615 45611 4e91c20 45610->45611 45612 4e91c24 45610->45612 45611->45599 45613 4e91c60 45612->45613 45614 4e90af0 CreateWindowExW 45612->45614 45613->45599 45614->45613 45616 4e91d30 CreateWindowExW 45615->45616 45618 4e91e54 45616->45618 45619 f4d4f8 45620 f4d4fc 45619->45620 45624 f4d6c7 45620->45624 45628 f4d6d8 45620->45628 45621 f4d62b 45625 f4d6d8 45624->45625 45632 f4cde0 45625->45632 45629 f4d6dc 45628->45629 45630 f4cde0 DuplicateHandle 45629->45630 45631 f4d706 45630->45631 45631->45621 45633 f4d740 DuplicateHandle 45632->45633 45635 f4d706 45633->45635 45635->45621 45636 f4b178 45639 f4b261 45636->45639 45637 f4b187 45640 f4b2a4 45639->45640 45641 f4b281 45639->45641 45640->45637 45641->45640 45642 f4b4a8 GetModuleHandleW 45641->45642 45643 f4b4d5 45642->45643 45643->45637 45644 f44668 45645 f4467a 45644->45645 45646 f44686 45645->45646 45650 f44779 45645->45650 45655 f44204 45646->45655 45648 f446a5 45651 f4479d 45650->45651 45661 f44888 45651->45661 45665 f44879 45651->45665 45656 f4420f 45655->45656 45673 f45d54 45656->45673 45658 f4707f 45677 f45d74 45658->45677 45660 f470d4 45660->45648 45663 f4488c 45661->45663 45662 f4498c 45663->45662 45669 f44514 45663->45669 45667 f44888 45665->45667 45666 f4498c 45667->45666 45668 f44514 CreateActCtxA 45667->45668 45668->45666 45670 f45918 CreateActCtxA 45669->45670 45672 f459db 45670->45672 45674 f45d5f 45673->45674 45675 f45d74 CreateWindowExW 45674->45675 45676 f472a0 45675->45676 45676->45658 45678 f45d7f 45677->45678 45681 f45da4 45678->45681 45680 f47345 45680->45660 45682 f45daf 45681->45682 45685 f45dd4 45682->45685 45684 f47422 45684->45680 45686 f45ddf 45685->45686 45687 f45e04 CreateWindowExW 45686->45687 45688 f47525 45687->45688 45688->45684 45825 704e478 45828 704e47c 45825->45828 45826 704e603 45828->45826 45829 7047c84 45828->45829 45830 704e6f8 PostMessageW 45829->45830 45831 704e764 45830->45831 45831->45828

                                                                                                      Executed Functions

                                                                                                      Function 0705B468 Relevance: 7.0, Strings: 5, Instructions: 722COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                      • API String ID: 0-3486158592
                                                                                                      • Opcode ID: dab9cb1fea5784e183d69c9cddaccbe9b6b46ed0e57d0f2fd5cfd97e5d2ad6c1
                                                                                                      • Instruction ID: 35b203b5f6bc5e11d3ab9d2b1d22ae3919941e4d88149cf19c80dfdfb2131cc7
                                                                                                      • Opcode Fuzzy Hash: dab9cb1fea5784e183d69c9cddaccbe9b6b46ed0e57d0f2fd5cfd97e5d2ad6c1
                                                                                                      • Instruction Fuzzy Hash: 3F526DF4A001159FDB58DF69C498AAEBBF6BF84710F158269EC169B360DB31EC41CB90
                                                                                                      Function 0705ED58 Relevance: 6.8, Strings: 5, Instructions: 595COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                      • API String ID: 0-3486158592
                                                                                                      • Opcode ID: 33a429636363edadc1b66d9a66cb3730f9eac91d63b9fc44d88d94abd45c39c1
                                                                                                      • Instruction ID: 4fddda043861004bfbd3f8ea60b15287ea44ee6e35c1034b2c7e77d097c5679a
                                                                                                      • Opcode Fuzzy Hash: 33a429636363edadc1b66d9a66cb3730f9eac91d63b9fc44d88d94abd45c39c1
                                                                                                      • Instruction Fuzzy Hash: A122BFB4B002068FCB18DF69C558A6F7BF6AF89300F198569E845DB361CB35ED41CB91
                                                                                                      Function 07050006 Relevance: 4.6, Instructions: 4585COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 730 7050006-705000b 731 705000c-7050014 730->731 732 7050016-7050033 731->732 733 7050038 731->733 732->733 733->731 734 705003a-705006b 733->734 736 7050072-7050c98 734->736 737 705006d 734->737 927 7050ca3-7050ca9 736->927 737->736 928 7050cb5-7054668 927->928 1338 7054692 928->1338 1339 705466a-7054676 928->1339 1340 7054698-7055007 1338->1340 1341 7054680-7054686 1339->1341 1342 7054678-705467e 1339->1342 1343 7054690 1341->1343 1342->1343 1343->1340
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b9e3207ef80b7140b73e658fdae4d594c538ba2a866ad88ed33fa85cc9218737
                                                                                                      • Instruction ID: e25f7a0174029b7901bc0ca98ad6f4ec14396ffbc24e355ed9dacc35fd150a0e
                                                                                                      • Opcode Fuzzy Hash: b9e3207ef80b7140b73e658fdae4d594c538ba2a866ad88ed33fa85cc9218737
                                                                                                      • Instruction Fuzzy Hash: 84B3D534A51219CFDB24EF64C894A99B7F2FF89300F1196E9D4486B361DB71AE85CF80
                                                                                                      Function 07050040 Relevance: 4.6, Instructions: 4562COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1443 7050040-705006b 1444 7050072-7050ca9 1443->1444 1445 705006d 1443->1445 1636 7050cb5-7054668 1444->1636 1445->1444 2046 7054692 1636->2046 2047 705466a-7054676 1636->2047 2048 7054698-7055007 2046->2048 2049 7054680-7054686 2047->2049 2050 7054678-705467e 2047->2050 2051 7054690 2049->2051 2050->2051 2051->2048
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e586cd22756b68dfdb120f7ee0deab0f7a5cd4b9817ae52ffa8caccbbf08d547
                                                                                                      • Instruction ID: 047dbb4638cc27e9c151a8f4d5fced1f879efab53a2a16beca8afe28d21d85f6
                                                                                                      • Opcode Fuzzy Hash: e586cd22756b68dfdb120f7ee0deab0f7a5cd4b9817ae52ffa8caccbbf08d547
                                                                                                      • Instruction Fuzzy Hash: 4AB3D534A51219CFDB24EF64C894A99B7F2FF89300F1196E9D4486B361DB71AE85CF80
                                                                                                      Function 070556E8 Relevance: 3.4, Instructions: 3434COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 3918 70556e8-7055713 3919 7055715 3918->3919 3920 705571a-7055c3f 3918->3920 3919->3920 3998 7055c5c-7055c75 3920->3998 4000 7055c77-7055c9d 3998->4000 4001 7055c9f-7055ca1 3998->4001 4002 7055ca4-7055caf 4000->4002 4001->4002 4004 7055c41-7055c4b 4002->4004 4005 7055cb1-7055d10 4002->4005 4462 7055c51 call 70596e0 4004->4462 4463 7055c51 call 7059718 4004->4463 4458 7055d13 call 705a7b9 4005->4458 4459 7055d13 call 705a7c8 4005->4459 4006 7055c57-7055c5b 4006->3998 4011 7055d19-7055d5a 4464 7055d5d call 705a7b9 4011->4464 4465 7055d5d call 705a7c8 4011->4465 4014 7055d63-7055d7a 4016 7055d84-7055d8b 4014->4016 4017 7055d7c-7055d82 4014->4017 4019 7055d92-7055d95 4016->4019 4020 7055d8d 4016->4020 4018 7055d98-705604c 4017->4018 4460 7056052 call 705fcd9 4018->4460 4461 7056052 call 705fce8 4018->4461 4019->4018 4020->4019 4062 7056057-7058795 4350 7058797-70587a3 4062->4350 4351 70587bf 4062->4351 4353 70587a5-70587ab 4350->4353 4354 70587ad-70587b3 4350->4354 4352 70587c5-70592ba 4351->4352 4355 70587bd 4353->4355 4354->4355 4355->4352 4458->4011 4459->4011 4460->4062 4461->4062 4462->4006 4463->4006 4464->4014 4465->4014
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8ac728d6619d6b354e2fc0f8a46ccfb0a04191102f8a7dba395dbb0c6d5c8df0
                                                                                                      • Instruction ID: dbf66006582c5525d120ca46ac246e857d3208b5768c0e31542aaf6a03dc67a2
                                                                                                      • Opcode Fuzzy Hash: 8ac728d6619d6b354e2fc0f8a46ccfb0a04191102f8a7dba395dbb0c6d5c8df0
                                                                                                      • Instruction Fuzzy Hash: CE83D534A11619CFEB24EF68C894A99B7B2FF89304F1156E9D4086B361DB31AED5CF40
                                                                                                      Function 070556D9 Relevance: 3.4, Instructions: 3420COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 4466 70556d9-7055713 4468 7055715 4466->4468 4469 705571a-7055c3f 4466->4469 4468->4469 4547 7055c5c-7055c75 4469->4547 4549 7055c77-7055c9d 4547->4549 4550 7055c9f-7055ca1 4547->4550 4551 7055ca4-7055caf 4549->4551 4550->4551 4553 7055c41-7055c4b 4551->4553 4554 7055cb1-7055cfc 4551->4554 5009 7055c51 call 70596e0 4553->5009 5010 7055c51 call 7059718 4553->5010 4559 7055d04-7055d10 4554->4559 4555 7055c57-7055c5b 4555->4547 5013 7055d13 call 705a7b9 4559->5013 5014 7055d13 call 705a7c8 4559->5014 4560 7055d19-7055d47 4562 7055d4e-7055d5a 4560->4562 5011 7055d5d call 705a7b9 4562->5011 5012 7055d5d call 705a7c8 4562->5012 4563 7055d63-7055d7a 4565 7055d84-7055d8b 4563->4565 4566 7055d7c-7055d82 4563->4566 4568 7055d92-7055d95 4565->4568 4569 7055d8d 4565->4569 4567 7055d98-705603c 4566->4567 4610 7056046-705604c 4567->4610 4568->4567 4569->4568 5007 7056052 call 705fcd9 4610->5007 5008 7056052 call 705fce8 4610->5008 4611 7056057-7058795 4899 7058797-70587a3 4611->4899 4900 70587bf 4611->4900 4902 70587a5-70587ab 4899->4902 4903 70587ad-70587b3 4899->4903 4901 70587c5-70592ba 4900->4901 4904 70587bd 4902->4904 4903->4904 4904->4901 5007->4611 5008->4611 5009->4555 5010->4555 5011->4563 5012->4563 5013->4560 5014->4560
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 15aeeaccf2aa677f23b57205604ff10095b87a0c82ad440481fea9039ca13213
                                                                                                      • Instruction ID: ae01b8e3db0bbc4698fc8045c34639bfc0414e74c9817abfd7e8c8276c25e512
                                                                                                      • Opcode Fuzzy Hash: 15aeeaccf2aa677f23b57205604ff10095b87a0c82ad440481fea9039ca13213
                                                                                                      • Instruction Fuzzy Hash: 6483D534A11619CFEB24EF68C894A99B7B2FF89304F1156E9D4086B361DB31AED5CF40
                                                                                                      Function 0705DFEE Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 5041 705dfee-705dff2 5042 705e9b5-705e9c7 5041->5042 5043 705dff3-705e008 5041->5043 5043->5042 5044 705e009-705e014 5043->5044 5046 705e01a-705e026 5044->5046 5047 705e032-705e041 5046->5047 5049 705e0a0-705e0a4 5047->5049 5050 705e14c-705e1b6 5049->5050 5051 705e0aa-705e0b3 5049->5051 5050->5042 5089 705e1bc-705e703 5050->5089 5052 705dfae-705dfba 5051->5052 5053 705e0b9-705e0cf 5051->5053 5052->5042 5055 705dfc0-705dfcc 5052->5055 5059 705e121-705e133 5053->5059 5060 705e0d1-705e0d4 5053->5060 5057 705e043-705e049 5055->5057 5058 705dfce-705dfe2 5055->5058 5057->5042 5061 705e04f-705e067 5057->5061 5058->5057 5068 705dfe4-705dfed 5058->5068 5069 705e8f4-705e9aa 5059->5069 5070 705e139-705e13c 5059->5070 5060->5042 5063 705e0da-705e117 5060->5063 5061->5042 5072 705e06d-705e095 5061->5072 5063->5050 5086 705e119-705e11f 5063->5086 5068->5041 5069->5042 5073 705e13f-705e149 5070->5073 5072->5049 5086->5059 5086->5060 5167 705e705-705e70f 5089->5167 5168 705e71a-705e7ad 5089->5168 5169 705e715 5167->5169 5170 705e7b8-705e84b 5167->5170 5168->5170 5171 705e856-705e8e9 5169->5171 5170->5171 5171->5069
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: D
                                                                                                      • API String ID: 0-2746444292
                                                                                                      • Opcode ID: 082829f99df7d67414127d3ee22fe2ba37b99b4506d74b36033a2d67e8df2b1d
                                                                                                      • Instruction ID: 02cc5effb80c304d583dd22d44a153d93e45537bd51ca986cd70c3146336737a
                                                                                                      • Opcode Fuzzy Hash: 082829f99df7d67414127d3ee22fe2ba37b99b4506d74b36033a2d67e8df2b1d
                                                                                                      • Instruction Fuzzy Hash: D252C774A002188FCB64DF68D898A9EBBB6FF89300F1045D9D509AB365DF35AE81CF51
                                                                                                      Function 00F4B261 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 5196 f4b261-f4b27f 5197 f4b281-f4b28e call f487b8 5196->5197 5198 f4b2ab-f4b2af 5196->5198 5205 f4b2a4 5197->5205 5206 f4b290 5197->5206 5200 f4b2b1-f4b2bb 5198->5200 5201 f4b2c3-f4b304 5198->5201 5200->5201 5207 f4b306-f4b30e 5201->5207 5208 f4b311-f4b31f 5201->5208 5205->5198 5253 f4b296 call f4b4f8 5206->5253 5254 f4b296 call f4b508 5206->5254 5207->5208 5209 f4b321-f4b326 5208->5209 5210 f4b343-f4b345 5208->5210 5212 f4b331 5209->5212 5213 f4b328-f4b32f call f4ac54 5209->5213 5215 f4b348-f4b34f 5210->5215 5211 f4b29c-f4b29e 5211->5205 5214 f4b3e0-f4b45e 5211->5214 5217 f4b333-f4b341 5212->5217 5213->5217 5246 f4b464-f4b4a0 5214->5246 5247 f4b460-f4b463 5214->5247 5218 f4b351-f4b359 5215->5218 5219 f4b35c-f4b363 5215->5219 5217->5215 5218->5219 5220 f4b365-f4b36d 5219->5220 5221 f4b370-f4b379 call f4ac64 5219->5221 5220->5221 5227 f4b386-f4b38b 5221->5227 5228 f4b37b-f4b383 5221->5228 5229 f4b38d-f4b394 5227->5229 5230 f4b3a9-f4b3ad 5227->5230 5228->5227 5229->5230 5232 f4b396-f4b3a6 call f4ac74 call f4ac84 5229->5232 5235 f4b3b3-f4b3b6 5230->5235 5232->5230 5236 f4b3b8-f4b3d6 5235->5236 5237 f4b3d9-f4b3df 5235->5237 5236->5237 5248 f4b4a2-f4b4a5 5246->5248 5249 f4b4a8-f4b4d3 GetModuleHandleW 5246->5249 5247->5246 5248->5249 5250 f4b4d5-f4b4db 5249->5250 5251 f4b4dc-f4b4f0 5249->5251 5250->5251 5253->5211 5254->5211
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F4B4C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1907399974.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_f40000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 16c67395e72f76d6bc106eb1a8d47249908695cc3fbf9d0d820a2a85200b9e6f
                                                                                                      • Instruction ID: 3bbfa2330ad9dfa315b16cfc2b0d7d0da3ca5a25a698e4ff7d8d6194f795ecad
                                                                                                      • Opcode Fuzzy Hash: 16c67395e72f76d6bc106eb1a8d47249908695cc3fbf9d0d820a2a85200b9e6f
                                                                                                      • Instruction Fuzzy Hash: 99817670A00B058FD724DF6AC54576ABBF1FF88310F10892ED88AD7A52D774E949CB91
                                                                                                      Function 04E90AF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 5255 4e90af0-4e91d96 5257 4e91d98-4e91d9e 5255->5257 5258 4e91da1-4e91da8 5255->5258 5257->5258 5259 4e91daa-4e91db0 5258->5259 5260 4e91db3-4e91e52 CreateWindowExW 5258->5260 5259->5260 5262 4e91e5b-4e91e93 5260->5262 5263 4e91e54-4e91e5a 5260->5263 5267 4e91ea0 5262->5267 5268 4e91e95-4e91e98 5262->5268 5263->5262 5269 4e91ea1 5267->5269 5268->5267 5269->5269
                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E91E42
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1956681651.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_4e90000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: dd2ad690b39e23421664a40235887894eeec3f5a1235f52b5f45b3f54632f560
                                                                                                      • Instruction ID: 00357e2e01d14e061a1d13edc51c6148cbce8363723927333ab7ca3497ab4f0e
                                                                                                      • Opcode Fuzzy Hash: dd2ad690b39e23421664a40235887894eeec3f5a1235f52b5f45b3f54632f560
                                                                                                      • Instruction Fuzzy Hash: DD519DB1D10249AFEF14CF99C984ADEFBB5BF48314F24812AE819AB250D771A845CF91
                                                                                                      Function 04E91D2F Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 5270 4e91d2f-4e91d96 5271 4e91d98-4e91d9e 5270->5271 5272 4e91da1-4e91da8 5270->5272 5271->5272 5273 4e91daa-4e91db0 5272->5273 5274 4e91db3-4e91deb 5272->5274 5273->5274 5275 4e91df3-4e91e52 CreateWindowExW 5274->5275 5276 4e91e5b-4e91e93 5275->5276 5277 4e91e54-4e91e5a 5275->5277 5281 4e91ea0 5276->5281 5282 4e91e95-4e91e98 5276->5282 5277->5276 5283 4e91ea1 5281->5283 5282->5281 5283->5283
                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E91E42
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1956681651.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_4e90000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: edc773478f2a8bcf0b9d897cc1b61860538c9204156f77fee25bc95b273a234a
                                                                                                      • Instruction ID: 448d981bf185727388bd80078b2c91bf5d7f5fe7c7727151e7d37ce4fd8d3cbb
                                                                                                      • Opcode Fuzzy Hash: edc773478f2a8bcf0b9d897cc1b61860538c9204156f77fee25bc95b273a234a
                                                                                                      • Instruction Fuzzy Hash: B641AEB1D00309AFEF14CF99C984ADEFBB5BF48314F24812AE819AB250D771A945CF91
                                                                                                      Function 00F4590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00F459C9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1907399974.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_f40000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 37688d2b708631f7645cb5e41e14f2374cdc4133397775279e78234e403e13b2
                                                                                                      • Instruction ID: c064cb38dbf2c3255b8b9d8a4077af0d6c12723b6c0bc7ee3d65065ca026cc60
                                                                                                      • Opcode Fuzzy Hash: 37688d2b708631f7645cb5e41e14f2374cdc4133397775279e78234e403e13b2
                                                                                                      • Instruction Fuzzy Hash: 424105B0C0061DCBDB24DF99C884BCEBBB5BF44714F20815AD408AB251DB756985CF91
                                                                                                      Function 04E90C44 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E943C1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1956681651.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_4e90000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallProcWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2714655100-0
                                                                                                      • Opcode ID: 629bb864572ce1aa73fa21c57e258c01452cd87e27b631c958c64e2ada793451
                                                                                                      • Instruction ID: 33a1830779a5e2637d131b916f3d3516766632a0951ba915c74e9247f1d621c6
                                                                                                      • Opcode Fuzzy Hash: 629bb864572ce1aa73fa21c57e258c01452cd87e27b631c958c64e2ada793451
                                                                                                      • Instruction Fuzzy Hash: 7F4129B4A04309DFDB14CF99C488AAABBF5FB88314F24C459D519AB3A1D774A841CFA0
                                                                                                      Function 00F44514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00F459C9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1907399974.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_f40000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 4dc2b8d62e12770d2dbb4873ea8f570e6c98728bc3b52913706c848db9d5bc51
                                                                                                      • Instruction ID: 8afabe502e48a6899bedd711a9d32a1e050426a534b5e3828f4d464642d837d4
                                                                                                      • Opcode Fuzzy Hash: 4dc2b8d62e12770d2dbb4873ea8f570e6c98728bc3b52913706c848db9d5bc51
                                                                                                      • Instruction Fuzzy Hash: 2741F0B0C0071DCBDB24DFA9C884B9EBBB5BF48704F20816AD408AB251DB756985CF91
                                                                                                      Function 00F4D738 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F4D706,?,?,?,?,?), ref: 00F4D7C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1907399974.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_f40000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 942268f70f31b8d6698e05da5879d7e68b2086ef147f8f87af1b7e4487082008
                                                                                                      • Instruction ID: f3fe8752212b1a77eadac74e8ed35fbf17b80b4c0d125497ea2dfd514990844b
                                                                                                      • Opcode Fuzzy Hash: 942268f70f31b8d6698e05da5879d7e68b2086ef147f8f87af1b7e4487082008
                                                                                                      • Instruction Fuzzy Hash: 3221E3B5D00218DFDB10CF9AD584ADEBFF8EB48324F14841AE918A7211D374A954DFA5
                                                                                                      Function 00F4CDE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F4D706,?,?,?,?,?), ref: 00F4D7C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1907399974.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_f40000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: d5a86330a0f8c3bdb0aee81d1ba36e676b359c684ac361f4837201023b94a997
                                                                                                      • Instruction ID: 93f93769414092753c72305468b43de2543e8a65e9b7cf7b87464a0801b4fa02
                                                                                                      • Opcode Fuzzy Hash: d5a86330a0f8c3bdb0aee81d1ba36e676b359c684ac361f4837201023b94a997
                                                                                                      • Instruction Fuzzy Hash: 7221E3B5900208EFDB10CF9AD584AEEBFF4EB48320F14841AE918A7351D374A950DFA5
                                                                                                      Function 0704E6F1 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0704E755
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964456176.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7040000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 774d28be76006e24cb985ff9cf75318665803c77502c1b0e4712812c61ffe782
                                                                                                      • Instruction ID: 89b3374cde066e08d5a28e6ee198047e4d0cc2c19bad1a6270b601a51baf00ba
                                                                                                      • Opcode Fuzzy Hash: 774d28be76006e24cb985ff9cf75318665803c77502c1b0e4712812c61ffe782
                                                                                                      • Instruction Fuzzy Hash: 5211F5B5900649DFDB10DF9AD584BDEBBF8FB48324F10841AE958A7200C375A584CFA5
                                                                                                      Function 00F4B460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F4B4C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1907399974.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_f40000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 1db9fdffce37df0143bfb37c2b24dceaa7dd4e66a55e3dadac7b5120c6efe849
                                                                                                      • Instruction ID: 15ffb7e76fab8ca08c7af303ca7d738afea3e5ddd75e1ecb727d12fc68817841
                                                                                                      • Opcode Fuzzy Hash: 1db9fdffce37df0143bfb37c2b24dceaa7dd4e66a55e3dadac7b5120c6efe849
                                                                                                      • Instruction Fuzzy Hash: 9E1110B6C002498FDB10CF9AC444ADEFBF8EF88320F10842AD818B7211C375A545CFA1
                                                                                                      Function 07047C84 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0704E755
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964456176.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7040000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 3789f24c8dffb72fd3e801cc157cfdeb39fc729371312f3cdc0d130d41b4e51f
                                                                                                      • Instruction ID: b3a375be95eaf56a70b950b431facaf66d6fd55689f55d69f423c5c330dc938d
                                                                                                      • Opcode Fuzzy Hash: 3789f24c8dffb72fd3e801cc157cfdeb39fc729371312f3cdc0d130d41b4e51f
                                                                                                      • Instruction Fuzzy Hash: 871136B5800349DFDB10DF9AC484BDEBBF8FB48324F108459E518A7200C374A940CFA5
                                                                                                      Function 0705A7B9 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq
                                                                                                      • API String ID: 0-1245868
                                                                                                      • Opcode ID: 78259ee8471e1c381a4507159ba7111e389a1c5dd4b35acf4639f3060f58c6e6
                                                                                                      • Instruction ID: 342de890b472b45e1c8e7343a0015b460e21a4a3b05610db496ebb4b1a2d705e
                                                                                                      • Opcode Fuzzy Hash: 78259ee8471e1c381a4507159ba7111e389a1c5dd4b35acf4639f3060f58c6e6
                                                                                                      • Instruction Fuzzy Hash: E031B1B0A04208EFDB45DB749C05BAE7FBAFB85300F10C6A6E545AB280DF359E05DB91
                                                                                                      Function 0705A7C8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq
                                                                                                      • API String ID: 0-1245868
                                                                                                      • Opcode ID: 288ecf469b911834fbe58ab143669bb0ec28d0f4f23bc97507ab08e2e5fad6a4
                                                                                                      • Instruction ID: 5956ba49de0e7bab47be34c39bb3096a718ad85ad24bdce08dc299554a98f03c
                                                                                                      • Opcode Fuzzy Hash: 288ecf469b911834fbe58ab143669bb0ec28d0f4f23bc97507ab08e2e5fad6a4
                                                                                                      • Instruction Fuzzy Hash: 6D216FB0A04208AFDB44AB749C46BBE7FBAEB85700F10C966E9459A280DE355E058791
                                                                                                      Function 0705FE7F Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q
                                                                                                      • API String ID: 0-1614139903
                                                                                                      • Opcode ID: 469ee14fd8f4bee2fad062d37b154f9ddae401c3bbd8818b38d3dc150c64b09e
                                                                                                      • Instruction ID: 47bc6fbedfc593aada07b5cb3b5a151f780079696b0d5f79e0aeac14497f40a5
                                                                                                      • Opcode Fuzzy Hash: 469ee14fd8f4bee2fad062d37b154f9ddae401c3bbd8818b38d3dc150c64b09e
                                                                                                      • Instruction Fuzzy Hash: B5210334E05246CFDB01EFA8D8906EDBB71FF85304F108269D106BB296EB707995CBA0
                                                                                                      Function 0705FE90 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q
                                                                                                      • API String ID: 0-1614139903
                                                                                                      • Opcode ID: d579bc9a741c23e1e6b4b78bc4838819ddb7bd235c334a4f8700bf3b1043a037
                                                                                                      • Instruction ID: d55ef724ecc7b79609e8740d7b2d3118a3ab935069414d744230a4ad95718da5
                                                                                                      • Opcode Fuzzy Hash: d579bc9a741c23e1e6b4b78bc4838819ddb7bd235c334a4f8700bf3b1043a037
                                                                                                      • Instruction Fuzzy Hash: 7F219F34E01206CFDB04EFA9E8946EEB771FF85304F108229D2167B295EB707995CBA0
                                                                                                      Function 0705F570 Relevance: .2, Instructions: 243COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e270c3b49150c5cc0dd763d366bd547b5bfa14da070553745abe6373c1391597
                                                                                                      • Instruction ID: 5f57cbaab675268746d484c98936156f4ee9f0619d5de957f4e3d73ddbdb0e93
                                                                                                      • Opcode Fuzzy Hash: e270c3b49150c5cc0dd763d366bd547b5bfa14da070553745abe6373c1391597
                                                                                                      • Instruction Fuzzy Hash: FB915CB5A0021ACFDB14DF68D884AAEBBB1BF48300F158665E855EB3A1C735FC41CB91
                                                                                                      Function 0705AE40 Relevance: .1, Instructions: 141COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7cb8ed6d191244f7536c5b2b1b12a96fe79fbc2cd52d9cf906e39b2560db758e
                                                                                                      • Instruction ID: fd88f6566ae86848a2dc68fbf1f8035ab21c4ad368dba70d0b9c2074e84e3867
                                                                                                      • Opcode Fuzzy Hash: 7cb8ed6d191244f7536c5b2b1b12a96fe79fbc2cd52d9cf906e39b2560db758e
                                                                                                      • Instruction Fuzzy Hash: 97512BB5B10109DFCF44DFA4D958A9E7BF6EF88711F14866AE902AB390CB319C40CB90
                                                                                                      Function 070596E0 Relevance: .1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4fcea1b15af177e3bbf18f39c4e962e48ee86201ca5ec5c0ce45196c3c33dfc9
                                                                                                      • Instruction ID: 0a8912ae8fdfc2e0a61e65c7a0f800f1600e105f5ca40246138fc0ff885f643e
                                                                                                      • Opcode Fuzzy Hash: 4fcea1b15af177e3bbf18f39c4e962e48ee86201ca5ec5c0ce45196c3c33dfc9
                                                                                                      • Instruction Fuzzy Hash: F1411D75E11209DFCF04CFA9D4449EEBBF6FF89300F14856AE815A7251DB34AA45CB90
                                                                                                      Function 0705B5A7 Relevance: .1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e21ca98fd4ebd9bc0da4bbf754cf68fd31c53540412d049d5825dcfefefe65f6
                                                                                                      • Instruction ID: 92e8e659104cf2d5411f26b85583ca84226c59b1d8c460d8991b677d9020b514
                                                                                                      • Opcode Fuzzy Hash: e21ca98fd4ebd9bc0da4bbf754cf68fd31c53540412d049d5825dcfefefe65f6
                                                                                                      • Instruction Fuzzy Hash: 7E4159B460011ADFCF05DF68D8849AE7BAAFF84700F148528F8019B394DB35EC52DB91
                                                                                                      Function 0705FCD9 Relevance: .1, Instructions: 112COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ee2f2d9794f86d63d1ac527741f6090e4dc8b547b0dc7d7362850ac103c637d4
                                                                                                      • Instruction ID: a7b68552fb845bcbb323569cc807dddf328820fe756283a3a9922e3c5b52fd3c
                                                                                                      • Opcode Fuzzy Hash: ee2f2d9794f86d63d1ac527741f6090e4dc8b547b0dc7d7362850ac103c637d4
                                                                                                      • Instruction Fuzzy Hash: E941D175A046528BDF00DF24C48039A7772BF42714F1884B9DC0C7F396DBB6A98AC7A1
                                                                                                      Function 0705FCE8 Relevance: .1, Instructions: 110COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f11fd7af6563238a55ba7298032aece16bc2ec8a4a0ade7d4e26f7fd0b76cff4
                                                                                                      • Instruction ID: 20779de3c2abbff28f12a858b169b971f97cb99ada331dfbafb9da3c59ebe338
                                                                                                      • Opcode Fuzzy Hash: f11fd7af6563238a55ba7298032aece16bc2ec8a4a0ade7d4e26f7fd0b76cff4
                                                                                                      • Instruction Fuzzy Hash: 9341C2359046128BDB00EF68D4813AA73B1AF41718F4984B9DC0D7F246DBB6B98AC7A1
                                                                                                      Function 0705F688 Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c10fcd9dd638d34e3e7a33e24e81ca1e8a339993d8822fa34072558b11445c64
                                                                                                      • Instruction ID: f0f52b2a7f12c3186b3522e8769fbd7ad1cfa479941448d698fa49f1713894bc
                                                                                                      • Opcode Fuzzy Hash: c10fcd9dd638d34e3e7a33e24e81ca1e8a339993d8822fa34072558b11445c64
                                                                                                      • Instruction Fuzzy Hash: 42412EB9B0010A8FDB14CF25D484AAF7BB2BF88710F158669E9559B3A1C734FC01CB50
                                                                                                      Function 070592D8 Relevance: .1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e71749c5d5eb7fac8ce0de14806fd2190be5dd762d92a9560aea308a923378d0
                                                                                                      • Instruction ID: 1eaf839713daec20a6424eb40bad575d4646abc3b7f9e8aebb45016fe8c81024
                                                                                                      • Opcode Fuzzy Hash: e71749c5d5eb7fac8ce0de14806fd2190be5dd762d92a9560aea308a923378d0
                                                                                                      • Instruction Fuzzy Hash: AE314671E00209EFCB05CFA5D8459EEBBF6EF89300F10846AE915A7260DB35AD42CB81
                                                                                                      Function 07059C48 Relevance: .1, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 190f59fede953472c567b47b7ae10b6e7d6b32abb917e9e7fb0874ff5c93a728
                                                                                                      • Instruction ID: 4798fff4bebcfa22bbf9a7a10f532192bbd62aaeee805accbe4d38d0ac97229a
                                                                                                      • Opcode Fuzzy Hash: 190f59fede953472c567b47b7ae10b6e7d6b32abb917e9e7fb0874ff5c93a728
                                                                                                      • Instruction Fuzzy Hash: 42310575D00219DFCB04CFA9D848AEEBBF1FF49311F149169E515A7261C7799980CFA0
                                                                                                      Function 0705AE07 Relevance: .1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6a55b0bfaa2c79db0c27e76bbb8d80c7f8990d70e597bb19fdd132b135e5347b
                                                                                                      • Instruction ID: 61c53d6edd49bf15b6dd93972f0db77ef21d148f1a702658f9503df61b7a0ea4
                                                                                                      • Opcode Fuzzy Hash: 6a55b0bfaa2c79db0c27e76bbb8d80c7f8990d70e597bb19fdd132b135e5347b
                                                                                                      • Instruction Fuzzy Hash: 8631AEB2A00108DFCF04DFA8D995ADE7FB5EF48315F1445A9E902AB360DB319D44CBA5
                                                                                                      Function 07059E50 Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3560d84dfda130f8f001ff84a64ad3673833af915ff293ebce38d247e2181971
                                                                                                      • Instruction ID: 13ccdb1b44564758068004c9a0e6d858ed6b21a23aacdf74927c8355a78d7c82
                                                                                                      • Opcode Fuzzy Hash: 3560d84dfda130f8f001ff84a64ad3673833af915ff293ebce38d247e2181971
                                                                                                      • Instruction Fuzzy Hash: 1031D2B5D002099FCB04DFA9D4849EEBFF2FB48301F108569E926A7354DB346A85CF90
                                                                                                      Function 00BED3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1890255521.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bed000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6fa94fe3808c2599bdb26c65312c5245c198221e2f42c24ae344c6aef6fc3296
                                                                                                      • Instruction ID: f50fc6b702b60ba1e7f1610c6c10e28e266bcf104811bdd6ea1387c01050807c
                                                                                                      • Opcode Fuzzy Hash: 6fa94fe3808c2599bdb26c65312c5245c198221e2f42c24ae344c6aef6fc3296
                                                                                                      • Instruction Fuzzy Hash: 33212871500284DFDB05DF15D9C0B16BFF5FBA4314F20C6A9E9094B396C376E856C6A2
                                                                                                      Function 00BED4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1890255521.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bed000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 53e87b30db1a10c8d6ef5aba0c12b24dc9616b9e8fff3ccfa87df4127d58e1b4
                                                                                                      • Instruction ID: be1746cfc273f30e9f5e838c8737ad2df5e90caed151752a07cc5fd7754c01be
                                                                                                      • Opcode Fuzzy Hash: 53e87b30db1a10c8d6ef5aba0c12b24dc9616b9e8fff3ccfa87df4127d58e1b4
                                                                                                      • Instruction Fuzzy Hash: A0213771500280DFDB05DF15D9C0B2BBFE5FBA8318F20C5A9E8090B256C376D856CBA1
                                                                                                      Function 07059C39 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: eb96402ca5e0e92b24fa05c356dec86e5efd406ca6dc3550eec7452899618581
                                                                                                      • Instruction ID: f07c4f72c7ef334b4240fef5bb6d3d58b25146fd97d74b9d8276ecc1f2e6dc2d
                                                                                                      • Opcode Fuzzy Hash: eb96402ca5e0e92b24fa05c356dec86e5efd406ca6dc3550eec7452899618581
                                                                                                      • Instruction Fuzzy Hash: FF3125B1D00219DFDB04CFA9D848AEEBBF1FF49300F049169E515A7261C779A980CFA0
                                                                                                      Function 0705B268 Relevance: .1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 72cfc344969ff470658b23549ca3beaaba91fd72163785fe7f42474d1d8ce6fa
                                                                                                      • Instruction ID: 8c31194cbf555cd1affdaf2dbc2c8ceb1dd850c2ee8a3ae67ff548a274334ba0
                                                                                                      • Opcode Fuzzy Hash: 72cfc344969ff470658b23549ca3beaaba91fd72163785fe7f42474d1d8ce6fa
                                                                                                      • Instruction Fuzzy Hash: E42138B5B0010A8FCB54EFA8C489AAEBBF5EF49310F154165ED05DB361DA30E881CBA1
                                                                                                      Function 07059E60 Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d26add657c3bf1cd2f49f0efb2c6f287fe93cc3f24de001a488c9a8063b6163d
                                                                                                      • Instruction ID: 2b27fb20e7c18a55ffef17b18296db1c8f973f8da08c5703739088aece44daf1
                                                                                                      • Opcode Fuzzy Hash: d26add657c3bf1cd2f49f0efb2c6f287fe93cc3f24de001a488c9a8063b6163d
                                                                                                      • Instruction Fuzzy Hash: 203193B4D002099FCB04DFA9D4849EEBBF1FB48311F108569E915A7354DB346A85CF54
                                                                                                      Function 00BFD01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1892694753.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bfd000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0f3f4bac7b89b49bc03ee17c40d780a2d6347eb284398ac7910f5ad73e5775be
                                                                                                      • Instruction ID: 48d80bc54cb2ed5b58d391d39ea77aec5fea4d6d518074ac64f4fde51b56cd76
                                                                                                      • Opcode Fuzzy Hash: 0f3f4bac7b89b49bc03ee17c40d780a2d6347eb284398ac7910f5ad73e5775be
                                                                                                      • Instruction Fuzzy Hash: 01210771504208DFDB14DF24D5D4B26BFA6FB84314F20C5ADDA094B356CB36D84BCA61
                                                                                                      Function 00BFD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1892694753.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bfd000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4acb90830a467c88add58b87d24b0d4faef62999a914e29023876755a5982819
                                                                                                      • Instruction ID: da56ee95a03d5e6e4980aaaabd2ec072c8f1aeecda72609a28a60ad4001cc84e
                                                                                                      • Opcode Fuzzy Hash: 4acb90830a467c88add58b87d24b0d4faef62999a914e29023876755a5982819
                                                                                                      • Instruction Fuzzy Hash: 97212971604208DFDB05DF14D5C4B36FBE6FB84314F20C5ADDA094B255C336D84ACAA1
                                                                                                      Function 07059870 Relevance: .1, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 812a34d537f1438f2b1e727242d60409253e235562fd9ef29e6ffd89576a4f5e
                                                                                                      • Instruction ID: 2998a52cbde1c71530275e8d0ab11d787c0eaa5adf18188513da5ba29367e6ee
                                                                                                      • Opcode Fuzzy Hash: 812a34d537f1438f2b1e727242d60409253e235562fd9ef29e6ffd89576a4f5e
                                                                                                      • Instruction Fuzzy Hash: 3C211675D00209DFCB05CFA5D845AEEBBB2FF89311F10802AE915A7360DB356942CF80
                                                                                                      Function 00BFD006 Relevance: .1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1892694753.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bfd000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ac118d95296846cdbc0a18bea37cac3bcf76d10dd054e7ceef3c0a3daff0afc2
                                                                                                      • Instruction ID: b060c90fbb7b67efcba0b2439eb409d33a8eb4f1a733476c0b6e423b60c52349
                                                                                                      • Opcode Fuzzy Hash: ac118d95296846cdbc0a18bea37cac3bcf76d10dd054e7ceef3c0a3daff0afc2
                                                                                                      • Instruction Fuzzy Hash: 5721C6755093848FCB06CF20D594715BFB2EB45314F28C5EAD9498F297C33AD80ACB62
                                                                                                      Function 00BED4BF Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1890255521.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bed000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction ID: 235f4fd4929072cb48f6b226ed4c43a7143548bfd3a014d574cb4caa9d53df08
                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction Fuzzy Hash: 4A11D376504280CFCB16CF14D9C4B16BFB1FBA4318F24C6AAD8490B656C336D85ACBA1
                                                                                                      Function 00BED3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1890255521.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bed000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction ID: 74947ccd0e5549933d0addb25e58abb3c23a201f30da3a8686328b68f41db374
                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction Fuzzy Hash: 05110376504280CFCB02CF00D5C4B16BFB1FBA4324F24C2A9D8090B356C33AE85ACBA1
                                                                                                      Function 07059DB0 Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 09ebe6473ff8e400b6240fbaebea086b50d3f592f557e711c9329746c54486c8
                                                                                                      • Instruction ID: 3b9fc9e2e15c7412b2a4e781d21c4ebd1007a131e973d1487675069ae4f3c37c
                                                                                                      • Opcode Fuzzy Hash: 09ebe6473ff8e400b6240fbaebea086b50d3f592f557e711c9329746c54486c8
                                                                                                      • Instruction Fuzzy Hash: BE214FB5905349DFCB51CFA8C444A9EBFF0EF06300F1081AAE504AB2A1D7358A44CB91
                                                                                                      Function 00BFD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1892694753.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bfd000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                      • Instruction ID: 184e7490ed335595d2637aa730fccf0285a22746a214ab94e12aaa4f0e8b140c
                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                      • Instruction Fuzzy Hash: AC11BB75504284DFCB02CF10C5C4B25FBA2FB84314F24C6AAD9494B296C33AD80ACBA1
                                                                                                      Function 00BED745 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1890255521.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bed000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 09e80e1b6d61f3f0cf28a4399c0d956cffb70b5fa05fb75f063994fbf25dbd99
                                                                                                      • Instruction ID: 91a01fd9470f2c01b49ccc96c2a33a00ebead7307aad15a96e3c3507805f0326
                                                                                                      • Opcode Fuzzy Hash: 09e80e1b6d61f3f0cf28a4399c0d956cffb70b5fa05fb75f063994fbf25dbd99
                                                                                                      • Instruction Fuzzy Hash: FD01DB711083809AE7109F2BCDC4B67BFD8DF51324F18C5AAED194A286D7B9DC40C671
                                                                                                      Function 07059DD0 Relevance: .0, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: afe375cc0379c2742552f3c84761e67f5033cd9986d7a81d6b16299c31fcd8db
                                                                                                      • Instruction ID: c2ed9f977c8a47aba94973fa3eb75b39c6f9cb438bc4fb52cf1c019f4149c08b
                                                                                                      • Opcode Fuzzy Hash: afe375cc0379c2742552f3c84761e67f5033cd9986d7a81d6b16299c31fcd8db
                                                                                                      • Instruction Fuzzy Hash: BF0116B5D0120ADFCB40DFA8C445AAEBFF1FF48300F1085A9E518A7260E7359A80DF91
                                                                                                      Function 00BED744 Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1890255521.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_bed000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c0435e31cc2c8d5440610d2d21c001de71256f9e3c1db2909715ecdf09aa4e14
                                                                                                      • Instruction ID: 71b9b1fdfcf3b5b9d016e6c5bf65fe6d6b158962cc60c74d702410158c6bc3f5
                                                                                                      • Opcode Fuzzy Hash: c0435e31cc2c8d5440610d2d21c001de71256f9e3c1db2909715ecdf09aa4e14
                                                                                                      • Instruction Fuzzy Hash: B0F062714043849EE7108F1AC8C8B62FFE8EB51734F18C55AED484A286C3799C44CAB1
                                                                                                      Function 07059F49 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 401a7b0d40d5b3859993376cd4ace395e60a828ba5fccd3f1d810d8fab965d60
                                                                                                      • Instruction ID: 776fe3df590f8fba88e68c14608f09c21f4c2adc0a2621eb2decf43e2c30b28b
                                                                                                      • Opcode Fuzzy Hash: 401a7b0d40d5b3859993376cd4ace395e60a828ba5fccd3f1d810d8fab965d60
                                                                                                      • Instruction Fuzzy Hash: D1F09DB9D10209DBDB44CFA9E4896EDBBF0FB48201F148165E922B3340D339A9818F60
                                                                                                      Function 0705B262 Relevance: .0, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2fe62f44c858ecf6d96efc71d1501993a8359f53805f1490b741fc78f698ae01
                                                                                                      • Instruction ID: ee36b19fdc5f5c637a0dee84c3eedc1866c3ca1d7c3126824ade7b90dc04c52f
                                                                                                      • Opcode Fuzzy Hash: 2fe62f44c858ecf6d96efc71d1501993a8359f53805f1490b741fc78f698ae01
                                                                                                      • Instruction Fuzzy Hash: F1E086F6610249ABCF507AA5EC8EA9FBFACDB45261F048131FD0591111EB71A058C5B1
                                                                                                      Function 0705F538 Relevance: .0, Instructions: 13COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0d86f7ae4d63d51cc3b729fdee9f693c25f0afba9718b6222db4e1a7df93cc3a
                                                                                                      • Instruction ID: 0c88fbd1ff2bb6c4518e79c97331b1ecbbe9014044375510f65c92472277c56b
                                                                                                      • Opcode Fuzzy Hash: 0d86f7ae4d63d51cc3b729fdee9f693c25f0afba9718b6222db4e1a7df93cc3a
                                                                                                      • Instruction Fuzzy Hash: A3D012F020430F9FDF506BB5E908B2FBAD8AF00351F418935AE0882161EB39E651C551

                                                                                                      Non-executed Functions

                                                                                                      Function 070551C1 Relevance: 6.3, Strings: 5, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                      • API String ID: 0-4202989938
                                                                                                      • Opcode ID: ed284c3522a90610a886e723cc6af21044d721652ba29739d96a7c30f77527e4
                                                                                                      • Instruction ID: b02abcca99629711f636d44d355d341fbe71f342299286ee6cebc56b2e078b35
                                                                                                      • Opcode Fuzzy Hash: ed284c3522a90610a886e723cc6af21044d721652ba29739d96a7c30f77527e4
                                                                                                      • Instruction Fuzzy Hash: EE218B30E0110A9FCB08EFAAD5516EEBBF2FF85700F11446DC1456B269DF305D458B91
                                                                                                      Function 070551D0 Relevance: 6.3, Strings: 5, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                      • API String ID: 0-4202989938
                                                                                                      • Opcode ID: 059c7970bb9fe69c330811952978251ea35e9b7566f648852617e0892223c090
                                                                                                      • Instruction ID: 7e7fbdc66961c2d700ba1fa75b7c7b51825e6dc9b4043e981a7e441905c2ad33
                                                                                                      • Opcode Fuzzy Hash: 059c7970bb9fe69c330811952978251ea35e9b7566f648852617e0892223c090
                                                                                                      • Instruction Fuzzy Hash: CA214530E0110A9FCB0CEFAAD5516EEB7F2FF80700F1184ADC1056B269EF305A498B91
                                                                                                      Function 0705EB20 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1964673731.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7050000_OLHTuSLw.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$$^q
                                                                                                      • API String ID: 0-296639492
                                                                                                      • Opcode ID: 577d71582b34e885fe0f3f3e9f55fde3adf575955fdf985adfcf426af0ff76bb
                                                                                                      • Instruction ID: 9fa62ad0e4a90f95a68489c764f0cf94e37c584b959e671a8ac861bf9eed33e6
                                                                                                      • Opcode Fuzzy Hash: 577d71582b34e885fe0f3f3e9f55fde3adf575955fdf985adfcf426af0ff76bb
                                                                                                      • Instruction Fuzzy Hash: 0441E3B07401158FDB599A39C89863F3BEBBFC9B01B280AA9E457CF365DE21CD428741

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:8.7%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:154
                                                                                                      Total number of Limit Nodes:7
                                                                                                      execution_graph 34189 2bdd4f8 34190 2bdd53e GetCurrentProcess 34189->34190 34192 2bdd590 GetCurrentThread 34190->34192 34194 2bdd589 34190->34194 34193 2bdd5cd GetCurrentProcess 34192->34193 34195 2bdd5c6 34192->34195 34196 2bdd603 34193->34196 34194->34192 34195->34193 34197 2bdd62b GetCurrentThreadId 34196->34197 34198 2bdd65c 34197->34198 34199 2bdb178 34202 2bdb261 34199->34202 34200 2bdb187 34203 2bdb2a4 34202->34203 34204 2bdb281 34202->34204 34203->34200 34204->34203 34205 2bdb4a8 GetModuleHandleW 34204->34205 34206 2bdb4d5 34205->34206 34206->34200 34214 2bd4668 34215 2bd467a 34214->34215 34216 2bd4686 34215->34216 34218 2bd4779 34215->34218 34219 2bd479d 34218->34219 34223 2bd4879 34219->34223 34227 2bd4888 34219->34227 34225 2bd48af 34223->34225 34224 2bd498c 34224->34224 34225->34224 34231 2bd4514 34225->34231 34229 2bd48af 34227->34229 34228 2bd498c 34228->34228 34229->34228 34230 2bd4514 CreateActCtxA 34229->34230 34230->34228 34232 2bd5918 CreateActCtxA 34231->34232 34234 2bd59db 34232->34234 34235 595b660 34236 595b72a 34235->34236 34237 595b730 34236->34237 34240 595d3d2 34236->34240 34245 595d3d8 34236->34245 34241 595d3ed 34240->34241 34250 595d418 34241->34250 34266 595d408 34241->34266 34242 595d3ff 34242->34237 34246 595d3ed 34245->34246 34248 595d418 12 API calls 34246->34248 34249 595d408 12 API calls 34246->34249 34247 595d3ff 34247->34237 34248->34247 34249->34247 34251 595d432 34250->34251 34252 595d43a 34251->34252 34282 595da36 34251->34282 34287 595d8ca 34251->34287 34292 595dc89 34251->34292 34297 595d949 34251->34297 34302 595e0c7 34251->34302 34306 595dbc5 34251->34306 34311 595dc65 34251->34311 34316 595d858 34251->34316 34320 595db5f 34251->34320 34324 595d9dd 34251->34324 34329 595dd53 34251->34329 34334 595dbf1 34251->34334 34339 595de31 34251->34339 34252->34242 34267 595d432 34266->34267 34268 595d43a 34267->34268 34269 595da36 2 API calls 34267->34269 34270 595de31 2 API calls 34267->34270 34271 595dbf1 2 API calls 34267->34271 34272 595dd53 2 API calls 34267->34272 34273 595d9dd 2 API calls 34267->34273 34274 595db5f 2 API calls 34267->34274 34275 595d858 2 API calls 34267->34275 34276 595dc65 2 API calls 34267->34276 34277 595dbc5 2 API calls 34267->34277 34278 595e0c7 2 API calls 34267->34278 34279 595d949 2 API calls 34267->34279 34280 595dc89 2 API calls 34267->34280 34281 595d8ca 2 API calls 34267->34281 34268->34242 34269->34268 34270->34268 34271->34268 34272->34268 34273->34268 34274->34268 34275->34268 34276->34268 34277->34268 34278->34268 34279->34268 34280->34268 34281->34268 34283 595da4b 34282->34283 34344 595b060 34283->34344 34348 595b059 34283->34348 34284 595da6e 34284->34252 34288 595d8df 34287->34288 34352 595af70 34288->34352 34356 595af68 34288->34356 34289 595dd34 34289->34252 34293 595dc96 34292->34293 34294 595d7f1 34293->34294 34295 595af70 WriteProcessMemory 34293->34295 34296 595af68 WriteProcessMemory 34293->34296 34294->34252 34295->34294 34296->34294 34298 595d95f 34297->34298 34360 595aeb0 34298->34360 34364 595aea8 34298->34364 34299 595df6d 34299->34252 34368 595a9a0 34302->34368 34372 595a999 34302->34372 34303 595e0e1 34308 595d9dc 34306->34308 34307 595e230 34307->34252 34308->34307 34376 595a8f0 34308->34376 34380 595a8e9 34308->34380 34313 595d9dc 34311->34313 34312 595e230 34312->34252 34313->34312 34314 595a8f0 ResumeThread 34313->34314 34315 595a8e9 ResumeThread 34313->34315 34314->34313 34315->34313 34384 595b1ec 34316->34384 34388 595b1f8 34316->34388 34322 595a9a0 Wow64SetThreadContext 34320->34322 34323 595a999 Wow64SetThreadContext 34320->34323 34321 595d7f1 34321->34252 34322->34321 34323->34321 34325 595d9dc 34324->34325 34325->34324 34326 595e230 34325->34326 34327 595a8f0 ResumeThread 34325->34327 34328 595a8e9 ResumeThread 34325->34328 34326->34252 34327->34325 34328->34325 34330 595dd59 34329->34330 34332 595af70 WriteProcessMemory 34330->34332 34333 595af68 WriteProcessMemory 34330->34333 34331 595d90e 34331->34252 34332->34331 34333->34331 34335 595dc14 34334->34335 34337 595af70 WriteProcessMemory 34335->34337 34338 595af68 WriteProcessMemory 34335->34338 34336 595dc46 34336->34252 34337->34336 34338->34336 34340 595d9dc 34339->34340 34341 595e230 34340->34341 34342 595a8f0 ResumeThread 34340->34342 34343 595a8e9 ResumeThread 34340->34343 34341->34252 34342->34340 34343->34340 34345 595b0ab ReadProcessMemory 34344->34345 34347 595b0ef 34345->34347 34347->34284 34349 595b0ab ReadProcessMemory 34348->34349 34351 595b0ef 34349->34351 34351->34284 34353 595afb8 WriteProcessMemory 34352->34353 34355 595b00f 34353->34355 34355->34289 34357 595afb8 WriteProcessMemory 34356->34357 34359 595b00f 34357->34359 34359->34289 34361 595aef0 VirtualAllocEx 34360->34361 34363 595af2d 34361->34363 34363->34299 34365 595aef0 VirtualAllocEx 34364->34365 34367 595af2d 34365->34367 34367->34299 34369 595a9e5 Wow64SetThreadContext 34368->34369 34371 595aa2d 34369->34371 34371->34303 34373 595a9e5 Wow64SetThreadContext 34372->34373 34375 595aa2d 34373->34375 34375->34303 34377 595a930 ResumeThread 34376->34377 34379 595a961 34377->34379 34379->34308 34381 595a930 ResumeThread 34380->34381 34383 595a961 34381->34383 34383->34308 34385 595b281 CreateProcessA 34384->34385 34387 595b443 34385->34387 34389 595b281 CreateProcessA 34388->34389 34391 595b443 34389->34391 34207 595e658 34208 595e7e3 34207->34208 34209 595e67e 34207->34209 34209->34208 34211 5957c1c 34209->34211 34212 595e8d8 PostMessageW 34211->34212 34213 595e944 34212->34213 34213->34209 34392 2bdd740 DuplicateHandle 34393 2bdd7d6 34392->34393

                                                                                                      Executed Functions

                                                                                                      Function 0601B468 Relevance: 7.0, Strings: 5, Instructions: 721COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                      • API String ID: 0-3486158592
                                                                                                      • Opcode ID: 88c03a2bfba2b164c64286912446f5a402c73443fd01c26b52842d73263e1bb1
                                                                                                      • Instruction ID: 67b8cdaa9d01bf5e06a75ec03254bf101734c46d19afc11da0e0487a8e598f1b
                                                                                                      • Opcode Fuzzy Hash: 88c03a2bfba2b164c64286912446f5a402c73443fd01c26b52842d73263e1bb1
                                                                                                      • Instruction Fuzzy Hash: D5527D34A401199FCB98DF69C594AAEBBF6FF88310B158569E806DF364DB31EC41CB90
                                                                                                      Function 0601ED58 Relevance: 6.8, Strings: 5, Instructions: 587COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                      • API String ID: 0-3486158592
                                                                                                      • Opcode ID: d619fcdb2d939758d214077a610b6bcd6dcce03c29aaf5ab90d84deeb73a1bb6
                                                                                                      • Instruction ID: 438cc0f37475a975501b016b50d98360b2b20f8b07f1e846ebddd10db369c2a9
                                                                                                      • Opcode Fuzzy Hash: d619fcdb2d939758d214077a610b6bcd6dcce03c29aaf5ab90d84deeb73a1bb6
                                                                                                      • Instruction Fuzzy Hash: 52227D30B402158FCB95DF69D994A6EBFF6BF88340F158469E8059B361DB31EC81CBA1
                                                                                                      Function 06010007 Relevance: 4.6, Instructions: 4582COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 771 6010007-601000a 772 601000c-6010038 771->772 772->772 773 601003a 772->773 774 6010041-601006b 773->774 775 601003c-601003d 773->775 776 6010072-6010c98 774->776 777 601006d 774->777 775->774 967 6010ca3-6010ca9 776->967 777->776 968 6010cb5-6014668 967->968 1378 6014692 968->1378 1379 601466a-6014676 968->1379 1380 6014698-6015007 1378->1380 1381 6014680-6014686 1379->1381 1382 6014678-601467e 1379->1382 1383 6014690 1381->1383 1382->1383 1383->1380
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fbdc361620356c236350db826da274e62e4d58c71bfb1c462013822c5fca783c
                                                                                                      • Instruction ID: e2dc292968be4c77d82c34d8493f526c880321e46f120e3572347c11f26361f8
                                                                                                      • Opcode Fuzzy Hash: fbdc361620356c236350db826da274e62e4d58c71bfb1c462013822c5fca783c
                                                                                                      • Instruction Fuzzy Hash: 0AB3D534A512698FCB15EF64C894A99B3F2FF89300F5196E9D4486B361DB71AEC1CF80
                                                                                                      Function 060156E8 Relevance: 3.4, Instructions: 3434COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2241 60156e8-6015713 2242 6015715 2241->2242 2243 601571a-6015c3f 2241->2243 2242->2243 2321 6015c5c-6015c75 2243->2321 2323 6015c77-6015c9d 2321->2323 2324 6015c9f-6015ca1 2321->2324 2325 6015ca4-6015caf 2323->2325 2324->2325 2327 6015c41-6015c4b 2325->2327 2328 6015cb1-6015d10 2325->2328 2785 6015c51 call 60196d0 2327->2785 2786 6015c51 call 60196e0 2327->2786 2787 6015c51 call 6019718 2327->2787 2781 6015d13 call 601a7b9 2328->2781 2782 6015d13 call 601a7c8 2328->2782 2329 6015c57-6015c5b 2329->2321 2334 6015d19-6015d5a 2788 6015d5d call 601a7b9 2334->2788 2789 6015d5d call 601a7c8 2334->2789 2337 6015d63-6015d7a 2339 6015d84-6015d8b 2337->2339 2340 6015d7c-6015d82 2337->2340 2341 6015d92-6015d95 2339->2341 2342 6015d8d 2339->2342 2343 6015d98-601604c 2340->2343 2341->2343 2342->2341 2783 6016052 call 601fcd9 2343->2783 2784 6016052 call 601fce8 2343->2784 2385 6016057-6018795 2673 6018797-60187a3 2385->2673 2674 60187bf 2385->2674 2675 60187a5-60187ab 2673->2675 2676 60187ad-60187b3 2673->2676 2677 60187c5-60192ba 2674->2677 2678 60187bd 2675->2678 2676->2678 2678->2677 2781->2334 2782->2334 2783->2385 2784->2385 2785->2329 2786->2329 2787->2329 2788->2337 2789->2337
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bfa1be0298373f5c29e86fe594b467f7857d9a29d7a92c203e161a84de52043d
                                                                                                      • Instruction ID: d276c3abd13dffaab1515b1db0f9f70b719686e89efa278b29547d6bec47820c
                                                                                                      • Opcode Fuzzy Hash: bfa1be0298373f5c29e86fe594b467f7857d9a29d7a92c203e161a84de52043d
                                                                                                      • Instruction Fuzzy Hash: F783E534A11669CFDB25EF64C894AE9B3B2FF89300F5156E9D4086B361DB31AE91CF40
                                                                                                      Function 060156D9 Relevance: 3.4, Instructions: 3418COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2790 60156d9-6015713 2792 6015715 2790->2792 2793 601571a-6015c3f 2790->2793 2792->2793 2871 6015c5c-6015c75 2793->2871 2873 6015c77-6015c9d 2871->2873 2874 6015c9f-6015ca1 2871->2874 2875 6015ca4-6015caf 2873->2875 2874->2875 2877 6015c41-6015c4b 2875->2877 2878 6015cb1-6015cfc 2875->2878 3335 6015c51 call 60196d0 2877->3335 3336 6015c51 call 60196e0 2877->3336 3337 6015c51 call 6019718 2877->3337 2883 6015d04-6015d10 2878->2883 2879 6015c57-6015c5b 2879->2871 3331 6015d13 call 601a7b9 2883->3331 3332 6015d13 call 601a7c8 2883->3332 2884 6015d19-6015d47 2886 6015d4e-6015d5a 2884->2886 3338 6015d5d call 601a7b9 2886->3338 3339 6015d5d call 601a7c8 2886->3339 2887 6015d63-6015d7a 2889 6015d84-6015d8b 2887->2889 2890 6015d7c-6015d82 2887->2890 2891 6015d92-6015d95 2889->2891 2892 6015d8d 2889->2892 2893 6015d98-601603c 2890->2893 2891->2893 2892->2891 2934 6016046-601604c 2893->2934 3333 6016052 call 601fcd9 2934->3333 3334 6016052 call 601fce8 2934->3334 2935 6016057-6018795 3223 6018797-60187a3 2935->3223 3224 60187bf 2935->3224 3225 60187a5-60187ab 3223->3225 3226 60187ad-60187b3 3223->3226 3227 60187c5-60192ba 3224->3227 3228 60187bd 3225->3228 3226->3228 3228->3227 3331->2884 3332->2884 3333->2935 3334->2935 3335->2879 3336->2879 3337->2879 3338->2887 3339->2887
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 457e6cd40a49087162784c9a6edd6af13545ba5155567d9bce29fa410f21d1d8
                                                                                                      • Instruction ID: 38f7cbd2246c297601d80a0ba43fec13a03fcff22f79f860bc94326524715e05
                                                                                                      • Opcode Fuzzy Hash: 457e6cd40a49087162784c9a6edd6af13545ba5155567d9bce29fa410f21d1d8
                                                                                                      • Instruction Fuzzy Hash: EB83D534A116698FDB25EF64C894AE9B3B2FF89300F5156E9D4086B361DB31AED1CF40
                                                                                                      Function 0601DFEE Relevance: 1.8, Strings: 1, Instructions: 561COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 3391 601dfee-601dff2 3392 601dff3-601e008 3391->3392 3393 601e9b5-601e9c2 3391->3393 3392->3393 3394 601e009-601e014 3392->3394 3396 601e01a-601e026 3394->3396 3397 601e032-601e041 3396->3397 3399 601e0a0-601e0a4 3397->3399 3400 601e0aa-601e0b3 3399->3400 3401 601e14c-601e1b6 3399->3401 3402 601e0b9-601e0cf 3400->3402 3403 601dfae-601dfba 3400->3403 3401->3393 3439 601e1bc-601e703 3401->3439 3409 601e121-601e133 3402->3409 3410 601e0d1-601e0d4 3402->3410 3403->3393 3405 601dfc0-601dfcc 3403->3405 3407 601e043-601e049 3405->3407 3408 601dfce-601dfe2 3405->3408 3407->3393 3411 601e04f-601e067 3407->3411 3408->3407 3418 601dfe4-601dfed 3408->3418 3419 601e8f4-601e9aa 3409->3419 3420 601e139-601e13c 3409->3420 3410->3393 3413 601e0da-601e117 3410->3413 3411->3393 3422 601e06d-601e095 3411->3422 3413->3401 3435 601e119-601e11f 3413->3435 3418->3391 3419->3393 3423 601e13f-601e149 3420->3423 3422->3399 3435->3409 3435->3410 3517 601e705-601e70f 3439->3517 3518 601e71a-601e7ad 3439->3518 3519 601e715 3517->3519 3520 601e7b8-601e84b 3517->3520 3518->3520 3521 601e856-601e8e9 3519->3521 3520->3521 3521->3419
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: D
                                                                                                      • API String ID: 0-2746444292
                                                                                                      • Opcode ID: b67391bff5e2b89af5fd5547a314329a1ce4de7207e67ce8059fa4eee2096216
                                                                                                      • Instruction ID: 9a1eb59c4d386ae6d62763b311fc3b955049fd3b8d51b8a80c7ee880f9aecd77
                                                                                                      • Opcode Fuzzy Hash: b67391bff5e2b89af5fd5547a314329a1ce4de7207e67ce8059fa4eee2096216
                                                                                                      • Instruction Fuzzy Hash: A652E874A412188FCB55DF68C998A9DBBB6FF88300F1085D9D909A73A5DF31AE81CF50
                                                                                                      Function 02BDD4E8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 727 2bdd4e8-2bdd587 GetCurrentProcess 731 2bdd589-2bdd58f 727->731 732 2bdd590-2bdd5c4 GetCurrentThread 727->732 731->732 733 2bdd5cd-2bdd601 GetCurrentProcess 732->733 734 2bdd5c6-2bdd5cc 732->734 735 2bdd60a-2bdd625 call 2bdd6c7 733->735 736 2bdd603-2bdd609 733->736 734->733 740 2bdd62b-2bdd65a GetCurrentThreadId 735->740 736->735 741 2bdd65c-2bdd662 740->741 742 2bdd663-2bdd6c5 740->742 741->742
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02BDD576
                                                                                                      • GetCurrentThread.KERNEL32 ref: 02BDD5B3
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02BDD5F0
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02BDD649
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: b9545e8a0da715c8eba945d53cbb5937eb57c20c30afa1b39399d0d5d35a411c
                                                                                                      • Instruction ID: ae71b6836a993ef33afa1dd2f6bed2527b17dac9b2988287960d62e3c4c292c9
                                                                                                      • Opcode Fuzzy Hash: b9545e8a0da715c8eba945d53cbb5937eb57c20c30afa1b39399d0d5d35a411c
                                                                                                      • Instruction Fuzzy Hash: B65155B59002098FDB14DFA9D548BEEBBF1AF48308F20C499E459AB361DB349984CF65
                                                                                                      Function 02BDD4F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 749 2bdd4f8-2bdd587 GetCurrentProcess 753 2bdd589-2bdd58f 749->753 754 2bdd590-2bdd5c4 GetCurrentThread 749->754 753->754 755 2bdd5cd-2bdd601 GetCurrentProcess 754->755 756 2bdd5c6-2bdd5cc 754->756 757 2bdd60a-2bdd625 call 2bdd6c7 755->757 758 2bdd603-2bdd609 755->758 756->755 762 2bdd62b-2bdd65a GetCurrentThreadId 757->762 758->757 763 2bdd65c-2bdd662 762->763 764 2bdd663-2bdd6c5 762->764 763->764
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02BDD576
                                                                                                      • GetCurrentThread.KERNEL32 ref: 02BDD5B3
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02BDD5F0
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02BDD649
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: 6f5ba9fa3b4e7c673bfcf371b4f6126b013bf3cd41bb4f4f974e4ebfe60f0a5c
                                                                                                      • Instruction ID: b9a8e3d52674879fc1bf0fb13a3983b925a983f66b64a68677b1e9c1ed7a9314
                                                                                                      • Opcode Fuzzy Hash: 6f5ba9fa3b4e7c673bfcf371b4f6126b013bf3cd41bb4f4f974e4ebfe60f0a5c
                                                                                                      • Instruction Fuzzy Hash: 6C5156B59002098FDB14DFAAD548BDEBBF5EF48308F20C459E059A7361DB349984CF65
                                                                                                      Function 0595B1EC Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 3546 595b1ec-595b28d 3548 595b2c6-595b2e6 3546->3548 3549 595b28f-595b299 3546->3549 3556 595b31f-595b34e 3548->3556 3557 595b2e8-595b2f2 3548->3557 3549->3548 3550 595b29b-595b29d 3549->3550 3551 595b2c0-595b2c3 3550->3551 3552 595b29f-595b2a9 3550->3552 3551->3548 3554 595b2ad-595b2bc 3552->3554 3555 595b2ab 3552->3555 3554->3554 3558 595b2be 3554->3558 3555->3554 3563 595b387-595b441 CreateProcessA 3556->3563 3564 595b350-595b35a 3556->3564 3557->3556 3559 595b2f4-595b2f6 3557->3559 3558->3551 3561 595b319-595b31c 3559->3561 3562 595b2f8-595b302 3559->3562 3561->3556 3565 595b304 3562->3565 3566 595b306-595b315 3562->3566 3577 595b443-595b449 3563->3577 3578 595b44a-595b4d0 3563->3578 3564->3563 3568 595b35c-595b35e 3564->3568 3565->3566 3566->3566 3567 595b317 3566->3567 3567->3561 3569 595b381-595b384 3568->3569 3570 595b360-595b36a 3568->3570 3569->3563 3572 595b36c 3570->3572 3573 595b36e-595b37d 3570->3573 3572->3573 3573->3573 3575 595b37f 3573->3575 3575->3569 3577->3578 3588 595b4e0-595b4e4 3578->3588 3589 595b4d2-595b4d6 3578->3589 3591 595b4f4-595b4f8 3588->3591 3592 595b4e6-595b4ea 3588->3592 3589->3588 3590 595b4d8 3589->3590 3590->3588 3594 595b508-595b50c 3591->3594 3595 595b4fa-595b4fe 3591->3595 3592->3591 3593 595b4ec 3592->3593 3593->3591 3596 595b51e-595b525 3594->3596 3597 595b50e-595b514 3594->3597 3595->3594 3598 595b500 3595->3598 3599 595b527-595b536 3596->3599 3600 595b53c 3596->3600 3597->3596 3598->3594 3599->3600 3602 595b53d 3600->3602 3602->3602
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0595B42E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: 6c4653b7f0034240bd2c2fbf0fa11634b4d0a4863fa363c50e75356de214e582
                                                                                                      • Instruction ID: e6f5af3f697e590cfbfb0b4d4d7e27f828ad6edb4c9501045538200a6cffc9d1
                                                                                                      • Opcode Fuzzy Hash: 6c4653b7f0034240bd2c2fbf0fa11634b4d0a4863fa363c50e75356de214e582
                                                                                                      • Instruction Fuzzy Hash: F9A18D71D00619DFDB24CFA8C841BEDBBB6FF48324F1481A9E80AA7250DB749995CF91
                                                                                                      Function 0595B1F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 3603 595b1f8-595b28d 3605 595b2c6-595b2e6 3603->3605 3606 595b28f-595b299 3603->3606 3613 595b31f-595b34e 3605->3613 3614 595b2e8-595b2f2 3605->3614 3606->3605 3607 595b29b-595b29d 3606->3607 3608 595b2c0-595b2c3 3607->3608 3609 595b29f-595b2a9 3607->3609 3608->3605 3611 595b2ad-595b2bc 3609->3611 3612 595b2ab 3609->3612 3611->3611 3615 595b2be 3611->3615 3612->3611 3620 595b387-595b441 CreateProcessA 3613->3620 3621 595b350-595b35a 3613->3621 3614->3613 3616 595b2f4-595b2f6 3614->3616 3615->3608 3618 595b319-595b31c 3616->3618 3619 595b2f8-595b302 3616->3619 3618->3613 3622 595b304 3619->3622 3623 595b306-595b315 3619->3623 3634 595b443-595b449 3620->3634 3635 595b44a-595b4d0 3620->3635 3621->3620 3625 595b35c-595b35e 3621->3625 3622->3623 3623->3623 3624 595b317 3623->3624 3624->3618 3626 595b381-595b384 3625->3626 3627 595b360-595b36a 3625->3627 3626->3620 3629 595b36c 3627->3629 3630 595b36e-595b37d 3627->3630 3629->3630 3630->3630 3632 595b37f 3630->3632 3632->3626 3634->3635 3645 595b4e0-595b4e4 3635->3645 3646 595b4d2-595b4d6 3635->3646 3648 595b4f4-595b4f8 3645->3648 3649 595b4e6-595b4ea 3645->3649 3646->3645 3647 595b4d8 3646->3647 3647->3645 3651 595b508-595b50c 3648->3651 3652 595b4fa-595b4fe 3648->3652 3649->3648 3650 595b4ec 3649->3650 3650->3648 3653 595b51e-595b525 3651->3653 3654 595b50e-595b514 3651->3654 3652->3651 3655 595b500 3652->3655 3656 595b527-595b536 3653->3656 3657 595b53c 3653->3657 3654->3653 3655->3651 3656->3657 3659 595b53d 3657->3659 3659->3659
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0595B42E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 963392458-0
                                                                                                      • Opcode ID: 84316487be6461fbe35ee15699125919d097a9ddcee2514b480f72c76d12abfe
                                                                                                      • Instruction ID: 299f763308c7245621abdbcf5e0b30df86cde5a17754079a700bdd30193c329a
                                                                                                      • Opcode Fuzzy Hash: 84316487be6461fbe35ee15699125919d097a9ddcee2514b480f72c76d12abfe
                                                                                                      • Instruction Fuzzy Hash: 4D917C71D00619DFDB24CFA8C841BEDBBB6FF48324F1481A9E80AA7250DB749995CF91
                                                                                                      Function 02BDB261 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02BDB4C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: d42d740f26c7151477358162925d43ba08f5c0d7944f0d1de5f258bda71f4101
                                                                                                      • Instruction ID: d15a8c06f6681058b16efc6c1bb9e1f112e5658e572061a1faf61c763d846f87
                                                                                                      • Opcode Fuzzy Hash: d42d740f26c7151477358162925d43ba08f5c0d7944f0d1de5f258bda71f4101
                                                                                                      • Instruction Fuzzy Hash: 00813370A00B058FD724DF29D54079ABBF5FF88318F008A6DD08AD7A50EB35E845CB90
                                                                                                      Function 02BD590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02BD59C9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: a796b33b215c63654f5e649763f81ad4557ef2c6ebc8255139576f398b7fb0c3
                                                                                                      • Instruction ID: 3438f5c62d312f04dd7c6fdee77f30afddcc80e7295dcc63df55d87c5999ee96
                                                                                                      • Opcode Fuzzy Hash: a796b33b215c63654f5e649763f81ad4557ef2c6ebc8255139576f398b7fb0c3
                                                                                                      • Instruction Fuzzy Hash: DC41E3B1C00719CBDB24DFA9C884BDEBBB5FF48304F6481AAD408AB255EB756945CF90
                                                                                                      Function 02BD4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02BD59C9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: f23fff368782eea2ae1b732def0159176e456e1a1b4dbf71f7120ae17198db07
                                                                                                      • Instruction ID: 094744c5b4e44d696ffcd5d63f1c91394b72b5b53588d48ad44772cfe718a63b
                                                                                                      • Opcode Fuzzy Hash: f23fff368782eea2ae1b732def0159176e456e1a1b4dbf71f7120ae17198db07
                                                                                                      • Instruction Fuzzy Hash: 9C41D2B0C0061DCBDB24CFA9C884BDEBBB5FF49304F6480AAD408AB255EB756945CF90
                                                                                                      Function 0595AF70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0595B000
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3559483778-0
                                                                                                      • Opcode ID: 23f58e61a41719936959eb10ca577d7739fbcf938e664fe7f120cfe246988912
                                                                                                      • Instruction ID: df1980647e3b6cba60ac175137d92ff15318419e4a9bdf1f1e77a805a8069a0a
                                                                                                      • Opcode Fuzzy Hash: 23f58e61a41719936959eb10ca577d7739fbcf938e664fe7f120cfe246988912
                                                                                                      • Instruction Fuzzy Hash: 252139B19003599FCB10CFA9C885BDEBBF5FF48320F10842AE959A7250C7789954CBA4
                                                                                                      Function 0595AF68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0595B000
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3559483778-0
                                                                                                      • Opcode ID: 220dfcc1dc6898194422ea41d4cfdb396d2311f62b0e4154cef34eb89efb2df9
                                                                                                      • Instruction ID: 69f7a84045c5d243af290366aaef579caf6b4cdb379e5ce88bd0239265eb8e56
                                                                                                      • Opcode Fuzzy Hash: 220dfcc1dc6898194422ea41d4cfdb396d2311f62b0e4154cef34eb89efb2df9
                                                                                                      • Instruction Fuzzy Hash: F92169B6900309CFCB10CFA9C885BEEBBF5FF48320F10842AE959A7240C7789554CBA4
                                                                                                      Function 0595A999 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0595AA1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContextThreadWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 983334009-0
                                                                                                      • Opcode ID: 757bff3b33ee1abd300a7ade4e8ff289ceb3b4b7609907544f90eeeac452397f
                                                                                                      • Instruction ID: 0c4ee02197929d429f1119bdcf1a3c6963f6f5eafb7673b622897fc556b21547
                                                                                                      • Opcode Fuzzy Hash: 757bff3b33ee1abd300a7ade4e8ff289ceb3b4b7609907544f90eeeac452397f
                                                                                                      • Instruction Fuzzy Hash: 642135B1D003098FDB10CFAAC5857EEBBF4AF48324F14842AD959A7240DB789985CFA4
                                                                                                      Function 0595B059 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0595B0E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 1726664587-0
                                                                                                      • Opcode ID: 511435c8d983c918a88c8db458a5658374dae42a6a38d0e92b08acc01fa5d680
                                                                                                      • Instruction ID: 9e47ed86cc19c541298d7a038976391aea5e279d6a3afb17aeb7a5ba73c3b7a6
                                                                                                      • Opcode Fuzzy Hash: 511435c8d983c918a88c8db458a5658374dae42a6a38d0e92b08acc01fa5d680
                                                                                                      • Instruction Fuzzy Hash: C82119B59002599FCB10CFA9C9457EEBBF5BF48320F10842AD559A7250C7389554CB64
                                                                                                      Function 0595B060 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0595B0E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryProcessRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 1726664587-0
                                                                                                      • Opcode ID: 65befc48d9bbe3d032af09a5a55885d9fd9b785cb267f5bc4c0838a5d776f18d
                                                                                                      • Instruction ID: afc7a9dfd554ac6b829c2de0398ead35cea338df47b594f69aa67473f720996c
                                                                                                      • Opcode Fuzzy Hash: 65befc48d9bbe3d032af09a5a55885d9fd9b785cb267f5bc4c0838a5d776f18d
                                                                                                      • Instruction Fuzzy Hash: 9B2139B1D003599FCB10DFAAC880AEEFBF5FF48320F10842AE959A7250CB749554CBA4
                                                                                                      Function 0595A9A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0595AA1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ContextThreadWow64
                                                                                                      • String ID:
                                                                                                      • API String ID: 983334009-0
                                                                                                      • Opcode ID: 4c609a4d7776459a015a022bbdc52aa59b12ff8cbfba896abfb988b94585d48e
                                                                                                      • Instruction ID: b4ac5606995c6443484d946d042cc82d9f816a162558f899da6268fec73c346c
                                                                                                      • Opcode Fuzzy Hash: 4c609a4d7776459a015a022bbdc52aa59b12ff8cbfba896abfb988b94585d48e
                                                                                                      • Instruction Fuzzy Hash: A52149B19003098FDB10DFAAC5857EEBBF4FF48324F10842AD959A7240CB789985CFA4
                                                                                                      Function 02BDD738 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BDD7C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 616dd6f177ec5b0f6a11fa818fe0a2f3e0f1bbe92e09c55cc10caecdfbcec038
                                                                                                      • Instruction ID: 19285f95280750fedcc88057eee8772e54839930b07d3984b3abc94486fd19e6
                                                                                                      • Opcode Fuzzy Hash: 616dd6f177ec5b0f6a11fa818fe0a2f3e0f1bbe92e09c55cc10caecdfbcec038
                                                                                                      • Instruction Fuzzy Hash: E721E4B6D00209DFDB10CFAAD584AEEBBF4FB08310F14845AE958A7350D378A944CF60
                                                                                                      Function 02BDD740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BDD7C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: d3d5464bfea9bb1ee2c1099ccc48e686c3b2845d653b99e6ef42c2b28afaa671
                                                                                                      • Instruction ID: a8ef9b7735313d0f64629b681861acd595424484edb747ba8a228a23e8d3a9c1
                                                                                                      • Opcode Fuzzy Hash: d3d5464bfea9bb1ee2c1099ccc48e686c3b2845d653b99e6ef42c2b28afaa671
                                                                                                      • Instruction Fuzzy Hash: 5221E2B5900209DFDB10CFAAD984ADEBFF8FB48320F14845AE958A7310D374A940CFA4
                                                                                                      Function 0595AEA8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0595AF1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: be080ad7b91c3538c1f070e2d23411f8c9923c05a69321d0280a80352957306c
                                                                                                      • Instruction ID: c2a2ab4ecb807f632165fd526cb20dbd5c931010dea707b6c19cb097ada93271
                                                                                                      • Opcode Fuzzy Hash: be080ad7b91c3538c1f070e2d23411f8c9923c05a69321d0280a80352957306c
                                                                                                      • Instruction Fuzzy Hash: 98116AB6900248CFCB10CFA9C845BDEBBF5AF48324F24841AE955A7250C7359550CFA4
                                                                                                      Function 0595AEB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0595AF1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: aab8024bc22ba8b26d21f24cf717d89d5bec5fa24f45487f79ce0a80345dc7ca
                                                                                                      • Instruction ID: 16ff204853e51a48146127fbc94739e8f05690b4b66f3fafc3740947f248424c
                                                                                                      • Opcode Fuzzy Hash: aab8024bc22ba8b26d21f24cf717d89d5bec5fa24f45487f79ce0a80345dc7ca
                                                                                                      • Instruction Fuzzy Hash: D7113AB19002499FCB10DFA9C844BDFBFF5EF48324F108419E955A7250C7759554CFA4
                                                                                                      Function 0595A8E9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ResumeThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 947044025-0
                                                                                                      • Opcode ID: 3b19b6fc97a210acf03ad44336487f175d0cece81db2a08f7c832362d7c9dfd4
                                                                                                      • Instruction ID: da390a444a5138b078ce77017c9eabad5cc0fe6897f9cee44a022ea773af2e33
                                                                                                      • Opcode Fuzzy Hash: 3b19b6fc97a210acf03ad44336487f175d0cece81db2a08f7c832362d7c9dfd4
                                                                                                      • Instruction Fuzzy Hash: 5F1155B5D003498FCB20DFA9C8457EEFBF4AF88324F24842AC559A7250CA38A545CB94
                                                                                                      Function 0595A8F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ResumeThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 947044025-0
                                                                                                      • Opcode ID: 5b329cd1e8ca5db52373070d5042d3cedcc2fd82c916beec2421968c208b128f
                                                                                                      • Instruction ID: d54b5c6f61507562cced2d9922eefd9e0afe61de2eddbecccc7f11baf1d6caaf
                                                                                                      • Opcode Fuzzy Hash: 5b329cd1e8ca5db52373070d5042d3cedcc2fd82c916beec2421968c208b128f
                                                                                                      • Instruction Fuzzy Hash: 5F1128B19003598FDB20DFAAC4457EEFBF5AF88324F208419D559A7250CA75A544CB94
                                                                                                      Function 02BDB460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02BDB4C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1809717283.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2bd0000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 159de2e2e76eab40e420700d901a57feb969228e9cb595ad61b8b3a204c9a144
                                                                                                      • Instruction ID: a29794ffc31c4cd8a11172492d94380756aa5bc1f7d58e6e64788e3abcf9487d
                                                                                                      • Opcode Fuzzy Hash: 159de2e2e76eab40e420700d901a57feb969228e9cb595ad61b8b3a204c9a144
                                                                                                      • Instruction Fuzzy Hash: E6110FB6C006498FDB10CF9AC444ADEFBF4EF88328F14846AD859A7610D375A545CFA5
                                                                                                      Function 05957C1C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0595E935
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 031bbd9f97380ccaee970a80ee50b90ff5c0f6020a6e55c39d7c6b3285629fcf
                                                                                                      • Instruction ID: 2a6a78b235f03a7c908c8b20327244262045ca4176f67fb38bda592c41ac29f2
                                                                                                      • Opcode Fuzzy Hash: 031bbd9f97380ccaee970a80ee50b90ff5c0f6020a6e55c39d7c6b3285629fcf
                                                                                                      • Instruction Fuzzy Hash: 9111F2B5800348DFDB10DF9AC485BDEBBF8FB48324F10845AE959A7600D375A994CFA1
                                                                                                      Function 0595E8D1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0595E935
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1838919975.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_5950000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: d9076802b0153b9a9cbff26ed5a5bb822b0e8e46d1545da232f989f6d402ba3d
                                                                                                      • Instruction ID: 93a370a56726ce12f434270b39d0f77d6d16412a4c3419f3fdbe145e9cbde7ce
                                                                                                      • Opcode Fuzzy Hash: d9076802b0153b9a9cbff26ed5a5bb822b0e8e46d1545da232f989f6d402ba3d
                                                                                                      • Instruction Fuzzy Hash: 021103B5800349CFDB10CF99C589BDEBBF8FB08324F14845AD959A7600D375A584CFA0
                                                                                                      Function 0601A7B9 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq
                                                                                                      • API String ID: 0-1245868
                                                                                                      • Opcode ID: ee08776033feec5bbb6acefd37eb325eac6d1d8c868e8ac0645ddf76256403a4
                                                                                                      • Instruction ID: f9aeede6cdd020f4d06c4ab459f7214feb61b89a57c3a7ee0ea037ada24b7ae6
                                                                                                      • Opcode Fuzzy Hash: ee08776033feec5bbb6acefd37eb325eac6d1d8c868e8ac0645ddf76256403a4
                                                                                                      • Instruction Fuzzy Hash: 3731B430A45248AFDB459FB49C45BAE7FBAEF85300F10C4A6E545AB280DF359E05DBA0
                                                                                                      Function 06019E51 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6
                                                                                                      • API String ID: 0-498629140
                                                                                                      • Opcode ID: 021bca51bd56efffd7da4decde820b5a1b67a907fb820df427aaeb5a17b13410
                                                                                                      • Instruction ID: 126a60b441ece051af5cdba0a72cfd3b6ff83f2cbe9f068ba71ed0b4323d92b4
                                                                                                      • Opcode Fuzzy Hash: 021bca51bd56efffd7da4decde820b5a1b67a907fb820df427aaeb5a17b13410
                                                                                                      • Instruction Fuzzy Hash: 8F31B2B9D112099FDB04CFA9D595ADEBFF6BF48300F14802AE819AB350EB309A45CF54
                                                                                                      Function 0601A7C8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq
                                                                                                      • API String ID: 0-1245868
                                                                                                      • Opcode ID: a5a731a791bcdb291fa9d96091924dd3a43c27948b52a073720c130396e959ca
                                                                                                      • Instruction ID: 5d46a4f4a3fa730a0d7d9d5b346cb931b4ef5459d13f5a93342441cdc41b87fd
                                                                                                      • Opcode Fuzzy Hash: a5a731a791bcdb291fa9d96091924dd3a43c27948b52a073720c130396e959ca
                                                                                                      • Instruction Fuzzy Hash: 2F219330B45244AFDB459B749C45BAE7FBAFF85300F10C465F905DE280DE755D059BA0
                                                                                                      Function 0601FE7F Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q
                                                                                                      • API String ID: 0-1614139903
                                                                                                      • Opcode ID: 854722f57844fd872914db19f5b99c8aa4b72da05c5281a4edf9fbe6dd0e70e5
                                                                                                      • Instruction ID: ed623056136922699b93e1c5bcf9e87a517c3cb5860fa69568c7e2f607b89d55
                                                                                                      • Opcode Fuzzy Hash: 854722f57844fd872914db19f5b99c8aa4b72da05c5281a4edf9fbe6dd0e70e5
                                                                                                      • Instruction Fuzzy Hash: 1E219035E1031ADFDB04EBA6D855AEDBB72FF89314F108224E50277284DB70B995CB90
                                                                                                      Function 0601FE90 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q
                                                                                                      • API String ID: 0-1614139903
                                                                                                      • Opcode ID: 9a43b5332bfb40d589cf74a1fe6ec026ef7e7c6146c93c7d63f34c5caf3fea80
                                                                                                      • Instruction ID: c492cbad5da7f3d5470ebdca8ef1865d125c5b0f61ae459b1c4d0e1c45e3a162
                                                                                                      • Opcode Fuzzy Hash: 9a43b5332bfb40d589cf74a1fe6ec026ef7e7c6146c93c7d63f34c5caf3fea80
                                                                                                      • Instruction Fuzzy Hash: 59217C35E1031A8FDB04EBA6D859AA9BB76FF85314F108224E50277284EB70B985CB90
                                                                                                      Function 0601F570 Relevance: .2, Instructions: 237COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 73c310c519e6c0b53dae2ad692aecca2fec1014d61a7bdbdea091600b16dc87e
                                                                                                      • Instruction ID: 14bda0c61d7cd143f8659b90d0136c88c22a26a54e3e46392b3fda927367fbb6
                                                                                                      • Opcode Fuzzy Hash: 73c310c519e6c0b53dae2ad692aecca2fec1014d61a7bdbdea091600b16dc87e
                                                                                                      • Instruction Fuzzy Hash: 0D916F75A4021ADFCB85DF69D894AAEBBF1BF48710F158565E8059F3A1C730EC41CBA0
                                                                                                      Function 0601AE40 Relevance: .1, Instructions: 141COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 31f2f3c69320f47d04bfc678ea0f956fdbef445483f8e273270bd13202fd426c
                                                                                                      • Instruction ID: 0932d997f9b3d2fea9cbf9c9588bebea1f683a3388217a7824b034c0f1f70109
                                                                                                      • Opcode Fuzzy Hash: 31f2f3c69320f47d04bfc678ea0f956fdbef445483f8e273270bd13202fd426c
                                                                                                      • Instruction Fuzzy Hash: 94511A34B911089FCF45DFA4D958AAD7BF6EF48721F148469E812AB390CB319C40CBA0
                                                                                                      Function 0601AE07 Relevance: .1, Instructions: 131COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 05a6aada471b8ed28d8fa3f3e5b4cede1792c6c02a29316e0ba4cd25c0d5c0d2
                                                                                                      • Instruction ID: bf1bd77fa96004332bc3094757bbb1e2b57303891e24732170a051c23b4af226
                                                                                                      • Opcode Fuzzy Hash: 05a6aada471b8ed28d8fa3f3e5b4cede1792c6c02a29316e0ba4cd25c0d5c0d2
                                                                                                      • Instruction Fuzzy Hash: 96513C75A92118CFCB45DFA4D954ADD7FF2EF48321F154069E812AB261CB319D84CBA0
                                                                                                      Function 0601B5A7 Relevance: .1, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8cfdcc4443df9428c2f15b89e8fff5a627e53560261b91f3bcf06fe8502da7c2
                                                                                                      • Instruction ID: 5b0fb5f114c3d1be62031ca50f1207ee62e665853ed64cfa7fd680e1bcd26d38
                                                                                                      • Opcode Fuzzy Hash: 8cfdcc4443df9428c2f15b89e8fff5a627e53560261b91f3bcf06fe8502da7c2
                                                                                                      • Instruction Fuzzy Hash: 94413630B101199FCF859F64D984AAE7BBAFF84350F148429F8069B394DB34DC56DBA0
                                                                                                      Function 0601FCD9 Relevance: .1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bdc2673796f3b2952de439dbd81ba1458911fbe6192873fe541bb91e4835259a
                                                                                                      • Instruction ID: 0c5c1999e929aff81dbc440f7da5cfabd554e2775391f180c76f83b9bd749987
                                                                                                      • Opcode Fuzzy Hash: bdc2673796f3b2952de439dbd81ba1458911fbe6192873fe541bb91e4835259a
                                                                                                      • Instruction Fuzzy Hash: 2141D2369002558BDB10DF28D4807DA77B2FF42314F0984B9DC0C7F296DB72A989CBA1
                                                                                                      Function 060196E0 Relevance: .1, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 662a474fba4ffb2bd4fdff1713d1e6f64cf820f152166e173088371bf10d6c94
                                                                                                      • Instruction ID: eaab916ba59c24f52817fe7d40be1b87ca943855196dcd9054329353719e18fe
                                                                                                      • Opcode Fuzzy Hash: 662a474fba4ffb2bd4fdff1713d1e6f64cf820f152166e173088371bf10d6c94
                                                                                                      • Instruction Fuzzy Hash: CF413975E012089FCF44CFA9D954AEEBBF2FF89300F14846AE414AB250DB349A45CF90
                                                                                                      Function 0601FCE8 Relevance: .1, Instructions: 110COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1d2075e4a5382893846d3135fb92de0e40253bf5aabef83187a022992c257480
                                                                                                      • Instruction ID: 56f16c915581fbbbfbebdbeba2c4557aa629d2053dae63192480626ecaa53e6f
                                                                                                      • Opcode Fuzzy Hash: 1d2075e4a5382893846d3135fb92de0e40253bf5aabef83187a022992c257480
                                                                                                      • Instruction Fuzzy Hash: 5141D4359003158BDB40EF29D4807DA73B6EF41314F4984B9DD0C7F246DBB6A98ACBA1
                                                                                                      Function 0601F688 Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 59afb536e83dfaac5f2f477a836b7d19dc3ec935ea72c8c1b528dfa18ef18ef8
                                                                                                      • Instruction ID: 78c58ea58de24be4620825d50fffbcd2d131ee9d9b3e9fb7247d8c1cb50733d7
                                                                                                      • Opcode Fuzzy Hash: 59afb536e83dfaac5f2f477a836b7d19dc3ec935ea72c8c1b528dfa18ef18ef8
                                                                                                      • Instruction Fuzzy Hash: 4B412E75B4010A8FDB94CF64C884AAEBBF2BF88710F158469E9559F3A1C730EC41CB90
                                                                                                      Function 060192D8 Relevance: .1, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a7d2be186c34326151aca2c7553c945415ec4c4f1281da9aecf2184a4d683a23
                                                                                                      • Instruction ID: 1b6642dd2be0c0d756a0ac101c198a338ad1d5bb848843d14f69bff15771c2f2
                                                                                                      • Opcode Fuzzy Hash: a7d2be186c34326151aca2c7553c945415ec4c4f1281da9aecf2184a4d683a23
                                                                                                      • Instruction Fuzzy Hash: B8311574E00208EFCB05CFA4D8549EEBFB6FF89300F10846AF905AB260DB719906CB80
                                                                                                      Function 06019C39 Relevance: .1, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9c8a966e48bb4e0c106e40e2812c504434f1e00352177a82b1eab6cea8c60a3a
                                                                                                      • Instruction ID: 82de7f6eaed89f8ed4bb933ae73d5cc0cd5c89e71fd562d2d4a8d70fa44ec541
                                                                                                      • Opcode Fuzzy Hash: 9c8a966e48bb4e0c106e40e2812c504434f1e00352177a82b1eab6cea8c60a3a
                                                                                                      • Instruction Fuzzy Hash: A7310275D002189FCB44CFA8D858AEEBFF6FF49301F159069E515AB260DB759980CF90
                                                                                                      Function 02ABD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1804461384.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2abd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 96621ebcc0fa5f6a87251903758cdc7977982b37a29fd43d04c901f2fd8c1844
                                                                                                      • Instruction ID: 47f7885923e1dba241c02771977d398ffd6d8bd26a4eba687ca4214584cd66bf
                                                                                                      • Opcode Fuzzy Hash: 96621ebcc0fa5f6a87251903758cdc7977982b37a29fd43d04c901f2fd8c1844
                                                                                                      • Instruction Fuzzy Hash: AE212271500640EFDB06DF14DAC0B6ABF69FF88318F20C669E8090B257C736D456CAA2
                                                                                                      Function 02ACD01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1805663762.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2acd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 47a43d07e5e43fe8304e3cd162b9404dd01d7420bbe3461478c5b1a1f8dd60f1
                                                                                                      • Instruction ID: 32a9510fc39beda712a0dede5a0c640fd72d00d5c16bba7385e6c3309924d457
                                                                                                      • Opcode Fuzzy Hash: 47a43d07e5e43fe8304e3cd162b9404dd01d7420bbe3461478c5b1a1f8dd60f1
                                                                                                      • Instruction Fuzzy Hash: 5E21D075604600EFDB14DF18D9C4B26BBA5FB84324F30C57DD84A4B256CB3AD847CA61
                                                                                                      Function 02ACD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1805663762.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2acd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6bd9013faa45e0879656511ee2091fecba02783f39c7a0dd75f4dbdc363f9ffa
                                                                                                      • Instruction ID: 749aaff87d5eb607d6a9f9d5bd09c251ef59c470d7248884a6b07294d6e44c93
                                                                                                      • Opcode Fuzzy Hash: 6bd9013faa45e0879656511ee2091fecba02783f39c7a0dd75f4dbdc363f9ffa
                                                                                                      • Instruction Fuzzy Hash: C92104B1504600EFDB05DF14D9C4B26FBA5FB88314F30C67DE8494B25ACB36D446CA61
                                                                                                      Function 0601B268 Relevance: .1, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 96813cb5b3caa6fd18cad200da415e5d1c8f34cf36cb9b87a622eebff83541da
                                                                                                      • Instruction ID: 8a239377e02e8ba30ab46c1a38fe974cd8cc51b1325ace889e6d3c0d5bbe80cf
                                                                                                      • Opcode Fuzzy Hash: 96813cb5b3caa6fd18cad200da415e5d1c8f34cf36cb9b87a622eebff83541da
                                                                                                      • Instruction Fuzzy Hash: A2213C75A401058FCB90EFA8D484A6EBFF1AF49310F158465E905DB361DB30EC85CBA1
                                                                                                      Function 02ACD006 Relevance: .1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1805663762.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2acd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1fbee85f9f1f4ab421e13e354dd4325f99e3982ba2916a143903ccc7c65cd236
                                                                                                      • Instruction ID: 5cc66c61252b019ac7bdaa0c56efb37061b56e5a0f0ba60bc1cf322574f58378
                                                                                                      • Opcode Fuzzy Hash: 1fbee85f9f1f4ab421e13e354dd4325f99e3982ba2916a143903ccc7c65cd236
                                                                                                      • Instruction Fuzzy Hash: 172180755097808FCB02CF24D5D4715BF71EB46214F28C5EED8498F6A7C33A940ACB62
                                                                                                      Function 02ABD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1804461384.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2abd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction ID: b67065d9717fb57b0353fc0832b5b324cc75e0d824090f148130b9dfae8393ed
                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                      • Instruction Fuzzy Hash: C811AF76504680CFCB16CF14D5C4B56BF71FB84318F24C6A9D8490B657C33AD45ACBA1
                                                                                                      Function 02ACD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1805663762.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2acd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                      • Instruction ID: ffb966f218c8fd6d4be69c4ef5426bb2f5a1c162fb182bc9f63172d34ebeb7e2
                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                      • Instruction Fuzzy Hash: 70118B76504680DFDB16CF14D9C4B15FBA1FB84218F24C6AED8494B69AC33AD44ACB61
                                                                                                      Function 06019DB0 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5121f33710669fbd6791474c3eaddafa5860aeaefde57abd9d683780af59c940
                                                                                                      • Instruction ID: f44be3e824b58b81f8dbbf0e4362b30e066b8b19aee76edc571506b87c889085
                                                                                                      • Opcode Fuzzy Hash: 5121f33710669fbd6791474c3eaddafa5860aeaefde57abd9d683780af59c940
                                                                                                      • Instruction Fuzzy Hash: 7A114CB59052599FCB42CFA8C444A9EBFB1FF06300F1585AEE414AB2A2D7358A44CB91
                                                                                                      Function 02ABD745 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1804461384.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2abd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7c08ade980c2ce61f4270fc71a071a60a818f6adef2e288a879e18598337d4ef
                                                                                                      • Instruction ID: b5796eac51be48cd55ef63f8f27d1a57455b334ffd906a8b66b6df9ea71256b7
                                                                                                      • Opcode Fuzzy Hash: 7c08ade980c2ce61f4270fc71a071a60a818f6adef2e288a879e18598337d4ef
                                                                                                      • Instruction Fuzzy Hash: 6B018471009B40DAE7115B25C9C4BE7BFACDF41324F18C92AED094E687DB799881C671
                                                                                                      Function 06019DD0 Relevance: .0, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: da27cee86399a38fae10238c0f42011427618a5cd409068560e2e2ecaf2481cb
                                                                                                      • Instruction ID: 91b191f9c2997e9f56d619a56e60ccb3263d637b44b4578aa3d6253b1dcdc38d
                                                                                                      • Opcode Fuzzy Hash: da27cee86399a38fae10238c0f42011427618a5cd409068560e2e2ecaf2481cb
                                                                                                      • Instruction Fuzzy Hash: 0C0104B5D01219DFCB40DFA8C445AAEBFF1FF48300F2084A9E508A7260E7318A50DF91
                                                                                                      Function 02ABD744 Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1804461384.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_2abd000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 354d396b9a987293a952cde058fc3d1da1af287d34e72c8790e7a6f76e08ce12
                                                                                                      • Instruction ID: a98e41f7d0f57e71be61694a2d16c04a4a914a8861e2780c1eca30b86bc25d22
                                                                                                      • Opcode Fuzzy Hash: 354d396b9a987293a952cde058fc3d1da1af287d34e72c8790e7a6f76e08ce12
                                                                                                      • Instruction Fuzzy Hash: 9FF062714097449EE7118F16C8C8BA6FFACEF41734F18C45AED094E686C7799885CBB1
                                                                                                      Function 06019F49 Relevance: .0, Instructions: 26COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7597d53becb11ce62cecd70c31ee6713d1b3da654fb6b1d47e3ee53f99efe662
                                                                                                      • Instruction ID: c7dac9220b2dd0d85a3e4ed2ce3791eefd6a41061c988e5968ae6eb3e81dce27
                                                                                                      • Opcode Fuzzy Hash: 7597d53becb11ce62cecd70c31ee6713d1b3da654fb6b1d47e3ee53f99efe662
                                                                                                      • Instruction Fuzzy Hash: 4AF09D79D50209DFCB40CFA8E4956EEBBF8FB48300F208029E815A7340E7355941DF60
                                                                                                      Function 0601B263 Relevance: .0, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000E.00000002.1839177595.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_14_2_6010000_Client.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 348e24778e3e646d7a3b2cbe9f83deea6f72fb66435825d524c896837cd0be43
                                                                                                      • Instruction ID: c096440c5909e639ffffad47a7f625fd054f8788204a75284c00ec5397a016ec
                                                                                                      • Opcode Fuzzy Hash: 348e24778e3e646d7a3b2cbe9f83deea6f72fb66435825d524c896837cd0be43
                                                                                                      • Instruction Fuzzy Hash: 77E08631A51208ABDF907AA5E84AAABFFBCDB55261F448031FE05C9101DB70D468C5B0