Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe

Overview

General Information

Sample name:RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Analysis ID:1528230
MD5:55846b937f549f2b9ee2994886a70c76
SHA1:4bf34c453165bf2dfe1504bd1b1910d6533eba13
SHA256:97c3e15446de0089faea027dc2ac15455fab29ce4442e889cfe41ed682dcfc19
Tags:exeuser-lowmal3
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe (PID: 3792 cmdline: "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" MD5: 55846B937F549F2B9EE2994886A70C76)
    • powershell.exe (PID: 2720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7559518797:AAH0iLCZK1qo8bPJcFwB4ELZaxlgzaM3RR0/sendMessage?chat_id=5116181161", "Token": "7559518797:AAH0iLCZK1qo8bPJcFwB4ELZaxlgzaM3RR0", "Chat_id": "5116181161", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x147cb:$a1: get_encryptedPassword
      • 0x14ab7:$a2: get_encryptedUsername
      • 0x145d7:$a3: get_timePasswordChanged
      • 0x146d2:$a4: get_passwordField
      • 0x147e1:$a5: set_encryptedPassword
      • 0x15e71:$a7: get_logins
      • 0x15dd4:$a10: KeyLoggerEventArgs
      • 0x15a3f:$a11: KeyLoggerEventArgsEventHandler
      00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x19824:$x1: $%SMTPDV$
      • 0x18200:$x2: $#TheHashHere%&
      • 0x197cc:$x3: %FTPDV$
      • 0x181a0:$x4: $%TelegramDv$
      • 0x15a3f:$x5: KeyLoggerEventArgs
      • 0x15dd4:$x5: KeyLoggerEventArgs
      • 0x197f0:$m2: Clipboard Logs ID
      • 0x19a2e:$m2: Screenshot Logs ID
      • 0x19b3e:$m2: keystroke Logs ID
      • 0x19e18:$m3: SnakePW
      • 0x19a06:$m4: \SnakeKeylogger\
      00000004.00000002.4615792687.0000000002B09000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12bcb:$a1: get_encryptedPassword
            • 0x12eb7:$a2: get_encryptedUsername
            • 0x129d7:$a3: get_timePasswordChanged
            • 0x12ad2:$a4: get_passwordField
            • 0x12be1:$a5: set_encryptedPassword
            • 0x14271:$a7: get_logins
            • 0x141d4:$a10: KeyLoggerEventArgs
            • 0x13e3f:$a11: KeyLoggerEventArgsEventHandler
            0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a5f8:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1982a:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19c5d:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ac9c:$a5: \Kometa\User Data\Default\Login Data
            0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x137b5:$s1: UnHook
            • 0x137bc:$s2: SetHook
            • 0x137c4:$s3: CallNextHook
            • 0x137d1:$s4: _hook
            Click to see the 35 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", ParentImage: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, ParentProcessId: 3792, ParentProcessName: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", ProcessId: 2720, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", ParentImage: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, ParentProcessId: 3792, ParentProcessName: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", ProcessId: 2720, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", ParentImage: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, ParentProcessId: 3792, ParentProcessName: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe", ProcessId: 2720, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-07T17:11:09.276504+020028033053Unknown Traffic192.168.2.649719188.114.97.3443TCP
            2024-10-07T17:11:13.782019+020028033053Unknown Traffic192.168.2.649742188.114.97.3443TCP
            2024-10-07T17:11:15.009012+020028033053Unknown Traffic192.168.2.649753188.114.97.3443TCP
            2024-10-07T17:11:16.255851+020028033053Unknown Traffic192.168.2.649762188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-07T17:11:07.140910+020028032742Potentially Bad Traffic192.168.2.649715193.122.6.16880TCP
            2024-10-07T17:11:08.750276+020028032742Potentially Bad Traffic192.168.2.649715193.122.6.16880TCP
            2024-10-07T17:11:09.937968+020028032742Potentially Bad Traffic192.168.2.649720193.122.6.16880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7559518797:AAH0iLCZK1qo8bPJcFwB4ELZaxlgzaM3RR0/sendMessage?chat_id=5116181161", "Token": "7559518797:AAH0iLCZK1qo8bPJcFwB4ELZaxlgzaM3RR0", "Chat_id": "5116181161", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeReversingLabs: Detection: 42%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49716 version: TLS 1.0
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: etKP.pdbSHA256 source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: Binary string: etKP.pdb source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 07458839h0_2_0745815C
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 0278FA39h4_2_0278F778
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 0278E61Fh4_2_0278E431
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 0278EFA9h4_2_0278E431
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_0278D7F0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D88EDh4_2_065D85B0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]4_2_065D3676
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D6119h4_2_065D5E70
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D69C9h4_2_065D6720
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D72A2h4_2_065D6FF8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D76F9h4_2_065D7450
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D0741h4_2_065D0498
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D7FA9h4_2_065D7D00
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D5869h4_2_065D55C0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D5CC1h4_2_065D5A18
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D6571h4_2_065D62C8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]4_2_065D3350
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D6E21h4_2_065D6B78
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]4_2_065D3360
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D02E9h4_2_065D0040
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D0B99h4_2_065D08F0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D7B51h4_2_065D78A8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D8401h4_2_065D8158
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4x nop then jmp 065D53E9h4_2_065D5140

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49715 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49719 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49753 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49762 -> 188.114.97.3:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49716 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2192543464.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.orgp
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_011BD55C0_2_011BD55C
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_074595500_2_07459550
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_074500400_2_07450040
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_074534780_2_07453478
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_074530400_2_07453040
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_074500060_2_07450006
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_07454F580_2_07454F58
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_07456D880_2_07456D88
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_07452C080_2_07452C08
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_07452BCE0_2_07452BCE
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_074538B00_2_074538B0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278B3284_2_0278B328
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_027861084_2_02786108
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278C1934_2_0278C193
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278F7784_2_0278F778
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278C7534_2_0278C753
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278C4704_2_0278C470
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278E4314_2_0278E431
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278CA334_2_0278CA33
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_02784AD94_2_02784AD9
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_027898584_2_02789858
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_027868804_2_02786880
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278BEB04_2_0278BEB0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278D7F04_2_0278D7F0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278D7E04_2_0278D7E0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_0278B4F34_2_0278B4F3
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DA6004_2_065DA600
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DBF304_2_065DBF30
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D9FB04_2_065D9FB0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DAC484_2_065DAC48
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D0D484_2_065D0D48
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DC5804_2_065DC580
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D85B04_2_065D85B0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DD2184_2_065DD218
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DB2904_2_065DB290
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DCBD04_2_065DCBD0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D8BF94_2_065D8BF9
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DB8E04_2_065DB8E0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D5E704_2_065D5E70
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D5E604_2_065D5E60
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D36D84_2_065D36D8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D67124_2_065D6712
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D67204_2_065D6720
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DBF204_2_065DBF20
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D6FF84_2_065D6FF8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D6FE84_2_065D6FE8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D9FA04_2_065D9FA0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D74504_2_065D7450
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D743F4_2_065D743F
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DAC374_2_065DAC37
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D7CF04_2_065D7CF0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D04984_2_065D0498
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D04884_2_065D0488
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DC5704_2_065DC570
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D7D004_2_065D7D00
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D0D394_2_065D0D39
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D55C04_2_065D55C0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DA5F04_2_065DA5F0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D55B14_2_065D55B1
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D85A44_2_065D85A4
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D5A184_2_065D5A18
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D5A084_2_065D5A08
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DD20A4_2_065DD20A
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D62C84_2_065D62C8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DB2814_2_065DB281
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D62B84_2_065D62B8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D33504_2_065D3350
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D6B784_2_065D6B78
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D6B694_2_065D6B69
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D33604_2_065D3360
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D43D84_2_065D43D8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DCBC04_2_065DCBC0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D28584_2_065D2858
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D28484_2_065D2848
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D00404_2_065D0040
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D00064_2_065D0006
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065DB8D04_2_065DB8D0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D08F04_2_065D08F0
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D08E14_2_065D08E1
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D78984_2_065D7898
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D78A84_2_065D78A8
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D81584_2_065D8158
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D81484_2_065D8148
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D51404_2_065D5140
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_065D51324_2_065D5132
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: invalid certificate
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195944985.00000000073A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2191649237.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2192543464.0000000002CC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195703547.0000000007299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000000.2148059033.00000000007A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameetKP.exe, vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612876475.00000000007B7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeBinary or memory string: OriginalFilenameetKP.exe, vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.csBase64 encoded string: 'UqC6YRsrrVEVxlNhM5FwjBtLqBVf6yxcO6vUDb7jXkO1yVIEJnIthqDp9nfDtEUH'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.csBase64 encoded string: 'UqC6YRsrrVEVxlNhM5FwjBtLqBVf6yxcO6vUDb7jXkO1yVIEJnIthqDp9nfDtEUH'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, HqFxki3A1vCn5OMCLQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, HqFxki3A1vCn5OMCLQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.logJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMutant created: \Sessions\1\BaseNamedObjects\gQHCoDCKrHyAq
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0py1rknh.fvk.ps1Jump to behavior
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4616935987.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002BB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeReversingLabs: Detection: 42%
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: etKP.pdbSHA256 source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
            Source: Binary string: etKP.pdb source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.7250000.4.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.2c549b8.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.cs.Net Code: Y6hSJL6GVT System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.cs.Net Code: Y6hSJL6GVT System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_07458A71 pushfd ; retf 0_2_07458A7D
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 0_2_07458920 push esp; retf 0_2_0745892D
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeCode function: 4_2_027824B9 push 8BFFFFFFh; retf 4_2_027824BF
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeStatic PE information: section name: .text entropy: 7.9840551385774425
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, apo4tjGCtihkWYaBkq.csHigh entropy of concatenated method names: 'dZl0AWsseQ', 'P2H0w7l8jb', 'YE90GKAUT4', 'vqD0iHRMMw', 'k3G0vTZSmL', 'r0k0ETVBND', 'eSw04B4BsP', 'kv20XivkR1', 'MUq0OmjerS', 'HJC07HD9tB'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, jVySOoQiFl5ijC5bvT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ip1xlawhcf', 'V07xI5SQqR', 'TqWxzLVFhB', 'KmNZhIZow7', 'FCyZdLGoJc', 'CF7Zxj2nKv', 'CmHZZxEErr', 'T016VvzLA7Luc0B6fB'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, cVfvXCCnrDwPHJracR.csHigh entropy of concatenated method names: 'ToString', 'FbJLB1Akdp', 'YLPLvbrSwm', 'rZWLERFk4Q', 'DDVL4Mfmcv', 'HBWLXOTDAv', 'XOeLOQBdUp', 'EHqL7c06Q8', 'qROL8Sxd5j', 'MtgLKnVJbm'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, fOUQ8G7CnX9aHO2E5t.csHigh entropy of concatenated method names: 'SZPRqChS4f', 'e4ORQMqfeD', 'No9RmBAQDd', 'e9cmIMujE8', 'QhDmzxbZIn', 'bYhRhg74iJ', 'IMPRdN278W', 'v7vRx96er8', 'cTeRZ93DBw', 'MyTRSeLg7A'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, Oq8qi9SKto8YMa4L7w.csHigh entropy of concatenated method names: 'eJvdRqFxki', 'O1vd5Cn5OM', 'FkBd13c4kC', 'N8SduFUfXS', 'Ryid05cd9C', 'xaIdLA8EDm', 'Akh4cD5X1DAO8b69Co', 'TMZsaRbWsE65irKmFj', 'k9dddIHWJw', 'p6rdZd9r2X'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, FKxeljgkB3c4kCA8SF.csHigh entropy of concatenated method names: 'HiTQT4IlYc', 'nHqQVcmxt9', 'Gc7Q3UDCTR', 'VMCQgOlgdb', 'FuTQ0KBS4M', 'rmJQLGGZLM', 'NB9Qsf01V6', 'y1sQtbniDT', 'wmMQeMsq8y', 'vu2QnDOL5p'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, zIlIBVFSdB3O1v84Na.csHigh entropy of concatenated method names: 'GdWs1Lwu31', 'Yw9suAWu8J', 'ToString', 'HWasqtqSyB', 'ftMsfWoKXa', 'xSEsQotM50', 'tifsaCRnZD', 'CLOsmbjIxf', 'BJcsRil9Qp', 'oZRs5X4OP4'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, pc5ssqdZ5cWT47rXgGL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Hs7nGP77Jb', 'q6qniCP72Q', 'BwxnCokAyQ', 'wPQnFGGqsh', 'bnunHaJu1o', 'cyMncanpLD', 'B26nkDJ0U9'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, iwbfPsILF4ICcoofS1.csHigh entropy of concatenated method names: 'Bf6edURNa5', 'h01eZdICeR', 'vSdeSGdL1k', 'zVGeqBybBL', 'cD9efIVBfv', 'sFFeauxYlw', 'nARemibQDl', 'svqtkk46mi', 'OmCtpYPPuQ', 'v6stl82d9c'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.csHigh entropy of concatenated method names: 'lAwZDROfg4', 'CGtZqEGEwD', 'HpkZfjCnOM', 'ar5ZQmKxlW', 'K07ZaVsTvT', 'HUXZmTE91m', 'GXIZReyBRA', 'uXyZ5k1rXH', 'SyvZbbPbAH', 'yfiZ1ZXPvm'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, KmQX5edhJgJUquX2aT8.csHigh entropy of concatenated method names: 'xgkeYFxkyh', 'KXbeNjfPbK', 'gp6eJdfKjo', 'CH8eTDSBdX', 'PGMe6pQjJJ', 'Mb0eVLU2J0', 'aARerdVw5J', 'arte3rG7Q8', 'DEOegerMhW', 'DegejlS9d3'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, mnmdGHp56L5W8OqTDh.csHigh entropy of concatenated method names: 'qCFtq2tRd0', 'h7OtfyBnZD', 'b2HtQcov00', 'i6EtaTSgDb', 'MRptmMI2QM', 'qsJtR8mikH', 'BxVt5rCxMG', 'aYntby3RnW', 'D0Ct1Ni87j', 'QBBtu4xfoo'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, HqFxki3A1vCn5OMCLQ.csHigh entropy of concatenated method names: 'mmTfGbTJdm', 'NG4fifQidI', 'u9nfCiCBsR', 'xW4fFym22j', 'KCwfHi2CUw', 'u6cfcdmCPE', 'xkBfkhpNkm', 'zjMfpraUMY', 'VPYflIUAEp', 'vfdfIgc8EX'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, XeM20Z9Mh8ST8agJyv.csHigh entropy of concatenated method names: 'hury3o1dHJ', 'Yt5ygbHBSf', 'Mhey2Ja2CF', 'CuiyvTIj66', 'jpoy4P8Etp', 'AXjyX25m0P', 'za0y7xbk39', 'NJTy8N0as8', 'QDEyAMnftC', 'GHmyBkotxL'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, gVT1VJK1DmxfnaYGEv.csHigh entropy of concatenated method names: 'KD9RYMROtL', 'C2GRNRtHJW', 'ncFRJBKHUY', 'MI0RTPISrw', 'uhwR6a4vto', 'RvcRV3ovaW', 'AKERrx1Qov', 'GcxR3Y3Kat', 'jYFRggV3fX', 'WdxRjC0An0'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, XupCdXxxQvoQy5ukXy.csHigh entropy of concatenated method names: 'BGMJcL995', 'HHfTFbBTY', 'GIAVLKtj5', 't6crOnbuw', 'SG7grhd6p', 'KUnjyV8oT', 'zNC5AjrhMnVliFm3HQ', 'WWm9jOF214gB8jcQtv', 'QRNRELUBRceasGHVj1', 'hATte8mFP'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, b9CYaI2A8EDmtopdnv.csHigh entropy of concatenated method names: 'H1QmDeycha', 'hrcmffaLEY', 'Cl5matF1JE', 'CVDmRqnfhP', 'vnpm5L1Uae', 'ChTaHWPNXK', 'xOeac9G3fO', 'Ni0akISwne', 'NFMap2PF4d', 'zeCalJ9doE'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, bDuuv3cRtAGalADw6V.csHigh entropy of concatenated method names: 'Y9hspVywoE', 'xRVsI0oPqj', 'pcFth8TGWG', 'IW1tdDpTs9', 'cOGsBhW1gU', 'PCEswMbIQh', 'WFJs9HokDR', 'JjqsGWJyuj', 'SfVsicGrkH', 'JKcsCu3vhW'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, sxpQEYfyCHULBZAink.csHigh entropy of concatenated method names: 'Dispose', 'mTAdlkJUbI', 'UrAxvZVM9U', 'NUZccobIT4', 'gundImdGH5', 'BL5dzW8OqT', 'ProcessDialogKey', 'ehBxhtsEg7', 'ye6xdjL2pM', 'SdjxxawbfP'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, ufXSgCjI4MNCpGyi5c.csHigh entropy of concatenated method names: 'l1ca6bEpdV', 'bOuarKVoiU', 'mJyQE8Iesc', 'K4wQ4foiJ6', 'dWVQXCpGOm', 'WG6QOmRJPb', 'U5nQ7J7wFm', 'FFTQ8FENV7', 'nquQK5BfDW', 'nJoQAQALp8'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, apo4tjGCtihkWYaBkq.csHigh entropy of concatenated method names: 'dZl0AWsseQ', 'P2H0w7l8jb', 'YE90GKAUT4', 'vqD0iHRMMw', 'k3G0vTZSmL', 'r0k0ETVBND', 'eSw04B4BsP', 'kv20XivkR1', 'MUq0OmjerS', 'HJC07HD9tB'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, jVySOoQiFl5ijC5bvT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ip1xlawhcf', 'V07xI5SQqR', 'TqWxzLVFhB', 'KmNZhIZow7', 'FCyZdLGoJc', 'CF7Zxj2nKv', 'CmHZZxEErr', 'T016VvzLA7Luc0B6fB'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, cVfvXCCnrDwPHJracR.csHigh entropy of concatenated method names: 'ToString', 'FbJLB1Akdp', 'YLPLvbrSwm', 'rZWLERFk4Q', 'DDVL4Mfmcv', 'HBWLXOTDAv', 'XOeLOQBdUp', 'EHqL7c06Q8', 'qROL8Sxd5j', 'MtgLKnVJbm'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, fOUQ8G7CnX9aHO2E5t.csHigh entropy of concatenated method names: 'SZPRqChS4f', 'e4ORQMqfeD', 'No9RmBAQDd', 'e9cmIMujE8', 'QhDmzxbZIn', 'bYhRhg74iJ', 'IMPRdN278W', 'v7vRx96er8', 'cTeRZ93DBw', 'MyTRSeLg7A'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, Oq8qi9SKto8YMa4L7w.csHigh entropy of concatenated method names: 'eJvdRqFxki', 'O1vd5Cn5OM', 'FkBd13c4kC', 'N8SduFUfXS', 'Ryid05cd9C', 'xaIdLA8EDm', 'Akh4cD5X1DAO8b69Co', 'TMZsaRbWsE65irKmFj', 'k9dddIHWJw', 'p6rdZd9r2X'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, FKxeljgkB3c4kCA8SF.csHigh entropy of concatenated method names: 'HiTQT4IlYc', 'nHqQVcmxt9', 'Gc7Q3UDCTR', 'VMCQgOlgdb', 'FuTQ0KBS4M', 'rmJQLGGZLM', 'NB9Qsf01V6', 'y1sQtbniDT', 'wmMQeMsq8y', 'vu2QnDOL5p'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, zIlIBVFSdB3O1v84Na.csHigh entropy of concatenated method names: 'GdWs1Lwu31', 'Yw9suAWu8J', 'ToString', 'HWasqtqSyB', 'ftMsfWoKXa', 'xSEsQotM50', 'tifsaCRnZD', 'CLOsmbjIxf', 'BJcsRil9Qp', 'oZRs5X4OP4'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, pc5ssqdZ5cWT47rXgGL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Hs7nGP77Jb', 'q6qniCP72Q', 'BwxnCokAyQ', 'wPQnFGGqsh', 'bnunHaJu1o', 'cyMncanpLD', 'B26nkDJ0U9'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, iwbfPsILF4ICcoofS1.csHigh entropy of concatenated method names: 'Bf6edURNa5', 'h01eZdICeR', 'vSdeSGdL1k', 'zVGeqBybBL', 'cD9efIVBfv', 'sFFeauxYlw', 'nARemibQDl', 'svqtkk46mi', 'OmCtpYPPuQ', 'v6stl82d9c'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.csHigh entropy of concatenated method names: 'lAwZDROfg4', 'CGtZqEGEwD', 'HpkZfjCnOM', 'ar5ZQmKxlW', 'K07ZaVsTvT', 'HUXZmTE91m', 'GXIZReyBRA', 'uXyZ5k1rXH', 'SyvZbbPbAH', 'yfiZ1ZXPvm'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, KmQX5edhJgJUquX2aT8.csHigh entropy of concatenated method names: 'xgkeYFxkyh', 'KXbeNjfPbK', 'gp6eJdfKjo', 'CH8eTDSBdX', 'PGMe6pQjJJ', 'Mb0eVLU2J0', 'aARerdVw5J', 'arte3rG7Q8', 'DEOegerMhW', 'DegejlS9d3'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, mnmdGHp56L5W8OqTDh.csHigh entropy of concatenated method names: 'qCFtq2tRd0', 'h7OtfyBnZD', 'b2HtQcov00', 'i6EtaTSgDb', 'MRptmMI2QM', 'qsJtR8mikH', 'BxVt5rCxMG', 'aYntby3RnW', 'D0Ct1Ni87j', 'QBBtu4xfoo'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, HqFxki3A1vCn5OMCLQ.csHigh entropy of concatenated method names: 'mmTfGbTJdm', 'NG4fifQidI', 'u9nfCiCBsR', 'xW4fFym22j', 'KCwfHi2CUw', 'u6cfcdmCPE', 'xkBfkhpNkm', 'zjMfpraUMY', 'VPYflIUAEp', 'vfdfIgc8EX'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, XeM20Z9Mh8ST8agJyv.csHigh entropy of concatenated method names: 'hury3o1dHJ', 'Yt5ygbHBSf', 'Mhey2Ja2CF', 'CuiyvTIj66', 'jpoy4P8Etp', 'AXjyX25m0P', 'za0y7xbk39', 'NJTy8N0as8', 'QDEyAMnftC', 'GHmyBkotxL'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, gVT1VJK1DmxfnaYGEv.csHigh entropy of concatenated method names: 'KD9RYMROtL', 'C2GRNRtHJW', 'ncFRJBKHUY', 'MI0RTPISrw', 'uhwR6a4vto', 'RvcRV3ovaW', 'AKERrx1Qov', 'GcxR3Y3Kat', 'jYFRggV3fX', 'WdxRjC0An0'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, XupCdXxxQvoQy5ukXy.csHigh entropy of concatenated method names: 'BGMJcL995', 'HHfTFbBTY', 'GIAVLKtj5', 't6crOnbuw', 'SG7grhd6p', 'KUnjyV8oT', 'zNC5AjrhMnVliFm3HQ', 'WWm9jOF214gB8jcQtv', 'QRNRELUBRceasGHVj1', 'hATte8mFP'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, b9CYaI2A8EDmtopdnv.csHigh entropy of concatenated method names: 'H1QmDeycha', 'hrcmffaLEY', 'Cl5matF1JE', 'CVDmRqnfhP', 'vnpm5L1Uae', 'ChTaHWPNXK', 'xOeac9G3fO', 'Ni0akISwne', 'NFMap2PF4d', 'zeCalJ9doE'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, bDuuv3cRtAGalADw6V.csHigh entropy of concatenated method names: 'Y9hspVywoE', 'xRVsI0oPqj', 'pcFth8TGWG', 'IW1tdDpTs9', 'cOGsBhW1gU', 'PCEswMbIQh', 'WFJs9HokDR', 'JjqsGWJyuj', 'SfVsicGrkH', 'JKcsCu3vhW'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, sxpQEYfyCHULBZAink.csHigh entropy of concatenated method names: 'Dispose', 'mTAdlkJUbI', 'UrAxvZVM9U', 'NUZccobIT4', 'gundImdGH5', 'BL5dzW8OqT', 'ProcessDialogKey', 'ehBxhtsEg7', 'ye6xdjL2pM', 'SdjxxawbfP'
            Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, ufXSgCjI4MNCpGyi5c.csHigh entropy of concatenated method names: 'l1ca6bEpdV', 'bOuarKVoiU', 'mJyQE8Iesc', 'K4wQ4foiJ6', 'dWVQXCpGOm', 'WG6QOmRJPb', 'U5nQ7J7wFm', 'FFTQ8FENV7', 'nquQK5BfDW', 'nJoQAQALp8'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 7800000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 8800000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 89A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 99A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: 4940000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598888Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598124Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598015Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597905Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597797Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597687Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597578Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597468Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597359Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597250Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597139Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597030Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596921Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596812Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596703Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596593Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596482Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596374Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596265Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596134Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595904Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595283Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595156Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595046Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594936Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594828Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594718Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594608Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594500Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594390Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594281Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594171Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594061Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 593953Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 593843Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6194Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3616Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeWindow / User API: threadDelayed 2008Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeWindow / User API: threadDelayed 7837Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 5200Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -30437127721620741s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 6108Thread sleep count: 2008 > 30Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 6108Thread sleep count: 7837 > 30Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -599015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598888s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -598015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597905s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597797s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597687s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597578s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597468s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597139s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -597030s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596921s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596593s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596482s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596374s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596134s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -596015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -595904s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -595283s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -595156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -595046s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594936s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594828s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594608s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594171s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -594061s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -593953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620Thread sleep time: -593843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598888Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598124Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 598015Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597905Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597797Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597687Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597578Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597468Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597359Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597250Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597139Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 597030Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596921Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596812Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596703Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596593Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596482Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596374Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596265Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596134Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595904Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595283Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595156Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 595046Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594936Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594828Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594718Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594608Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594500Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594390Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594281Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594171Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 594061Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 593953Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeThread delayed: delay time: 593843Jump to behavior
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195703547.0000000007270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195703547.0000000007270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4613235913.0000000000AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeMemory written: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeProcess created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4615792687.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4615792687.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Security Software Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
            Obfuscated Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc Filesystem13
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe42%ReversingLabsByteCode-MSIL.Trojan.SnakeStealer
            RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://reallyfreegeoip.org0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            http://checkip.dyndns.org/0%URL Reputationsafe
            http://checkip.dyndns.com0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            http://checkip.dyndns.org/q0%URL Reputationsafe
            http://reallyfreegeoip.org0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		188.114.97.3
            		truetrue
              		unknown
              checkip.dyndns.com
              		193.122.6.168
              		truefalse
                		unknown
                checkip.dyndns.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                  • URL Reputation: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33false
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.orgRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.orgRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://reallyfreegeoip.orgpRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://checkip.dyndns.comRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2192543464.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exefalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/qRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://reallyfreegeoip.orgRFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A1D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    188.114.97.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    193.122.6.168
                    		checkip.dyndns.comUnited States
                    		31898ORACLE-BMC-31898USfalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1528230
                    Start date and time:2024-10-07 17:10:10 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@6/6@2/2
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 133
                    • Number of non-executed functions: 7
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, PID 6248 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:11:04API Interceptor10988664x Sleep call for process: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe modified
                    11:11:05API Interceptor12x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    188.114.97.3scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                    • paste.ee/d/gvOd3
                    IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                    • www.bayarcepat19.click/yuvr/
                    Arrival Notice.exeGet hashmaliciousFormBookBrowse
                    • www.cc101.pro/0r21/
                    http://www.thegulfthermale.com.tr/antai/12/3dsec.phpGet hashmaliciousUnknownBrowse
                    • www.thegulfthermale.com.tr/antai/12/3dsec.php
                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/eZFzMENr/download
                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                    • filetransfer.io/data-package/MlZtCPkK/download
                    https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2Get hashmaliciousHTMLPhisherBrowse
                    • mairie-espondeilhan.com/
                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                    • filetransfer.io/data-package/758bYd86/download
                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/58PSl7si/download
                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/58PSl7si/download
                    193.122.6.168PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                    • checkip.dyndns.org/
                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    MT103-93850.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    StatementXofXaccount.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    TTXAPPLICATION.xlsGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    KBGC_1200O000000_98756.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Updated New Order.xlsGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    reallyfreegeoip.orgABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    wrong bank details.exeGet hashmaliciousMassLogger RATBrowse
                    • 188.114.96.3
                    z1PO7311145.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 172.67.177.134
                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                    • 188.114.97.3
                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    checkip.dyndns.comABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73
                    wrong bank details.exeGet hashmaliciousMassLogger RATBrowse
                    • 132.226.8.169
                    z1PO7311145.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 158.101.44.242
                    PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 158.101.44.242
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.247.73
                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                    • 193.122.130.0
                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 132.226.247.73
                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.8.169
                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                    • 132.226.8.169
                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ORACLE-BMC-31898USz1PO7311145.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 158.101.44.242
                    PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 158.101.44.242
                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                    • 193.122.130.0
                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.6.168
                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                    • 158.101.44.242
                    ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.6.168
                    ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                    • 193.122.239.124
                    na.elfGet hashmaliciousUnknownBrowse
                    • 130.61.64.122
                    CLOUDFLARENETUSABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                    • 188.114.97.3
                    https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04Get hashmaliciousUnknownBrowse
                    • 104.17.223.152
                    https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.htr.gtdzwq?v=frudxdxrtxfilfrjx.htrd.iwtlt___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpjOGJiNWZiM2U4NjZhMDk1M2Y0MGVjY2U1MDhmYjQ4YTo3OmM4Y2I6MDdlZDdhNDI4N2UyMzc1NGJjZGQ1YjkyOWYyODg2OTI5ZDkyNzU0YTQ2NWI4MzhkYWZlMmM3NjA5ZGMyZGNmMzpoOlQ6VA#YnJhbmRvbi53YW5nQGludGVncmFjb25uZWN0LmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                    • 188.114.96.3
                    8ID0109FLT24PO92CD-R.pdfGet hashmaliciousHTMLPhisherBrowse
                    • 172.67.74.152
                    https://www.rhris.com/EmailEmploymentValidation.cfm?EmploymentRefID=E84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBFGet hashmaliciousUnknownBrowse
                    • 104.21.44.9
                    shipping.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    https://protect2.fireeye.com/v1/url?k=31323334-50bba2bf-3132a9b3-4544474f5631-9e1721db7158d01a&q=1&e=fd99754d-b74a-4ce2-bf27-63a41e808f94&u=https%3A%2F%2Fwww.rhris.com%2FEmailEmploymentValidation.cfm%3FEmploymentRefID%3DE84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBFGet hashmaliciousUnknownBrowse
                    • 104.21.44.9
                    VML S.A..pdfGet hashmaliciousHtmlDropperBrowse
                    • 104.18.95.41
                    https://future.nhs.ukGet hashmaliciousUnknownBrowse
                    • 104.18.70.113

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    54328bd36c14bd82ddaa0c04b25ed9adABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    wrong bank details.exeGet hashmaliciousMassLogger RATBrowse
                    • 188.114.97.3
                    z1PO7311145.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 188.114.97.3
                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                    • 188.114.97.3
                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.log

                    Download File
                    Process:C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1172
                    Entropy (8bit):5.354777075714867
                    Encrypted:false
                    SSDEEP:24:3gWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:QWSU4xymI4RfoUeW+mZ9tK8ND3
                    MD5:0CBD5C86CC1353C7EF09E2ED3E0829E3
                    SHA1:0FFE29A715ED1E32BB9491D3DD88FB72280ED040
                    SHA-256:B7A6D1B47CEA0A5084460775416103112E56A7A423216183ABAC974960FD51E7
                    SHA-512:C60EC6550188DCCD1EAD93CC49011BAC45134426ADEF81410468A1F613AD8F2E67AEF296F5C92092A62BFAC746FCA9DC8741FEC5600996F28A48BF2488E94D40
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0py1rknh.fvk.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2llasbzi.3wh.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pskvzsmn.kjo.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtqjww2z.i31.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.977926714780874
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    • Win32 Executable (generic) a (10002005/4) 49.97%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    File size:549'896 bytes
                    MD5:55846b937f549f2b9ee2994886a70c76
                    SHA1:4bf34c453165bf2dfe1504bd1b1910d6533eba13
                    SHA256:97c3e15446de0089faea027dc2ac15455fab29ce4442e889cfe41ed682dcfc19
                    SHA512:525a7f68bdbb52bbde37dbbf9c16fc6d88e62ec0dfdaaaed2b215d81b9e1abaedc0ca59cc8591d6c262a44b8e77adb128b8d84330e6c69f3849e9fd2fd256390
                    SSDEEP:12288:oVf0qpVnArpBPAb2tInP8ohbhbBKiLppvx4VenHskR:oVLKpC2tQZLRpp3Hb
                    TLSH:1FC423E816ADC350E6380B3730FBE912697AD3B24ED1EDB6255495AD1C83B144348BFB
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q..g..............0..$...........B... ...`....@.. ....................................@................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x4842b6
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x67039271 [Mon Oct 7 07:49:05 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Authenticode Signature

                    Signature Valid:false
                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                    Signature Validation Error:The digital signature of the object did not verify
                    Error Number:-2146869232
                    Not Before, Not After
                    • 13/11/2018 01:00:00 09/11/2021 00:59:59
                    Subject Chain
                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                    Version:3
                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                    Serial:7C1118CBBADC95DA3752C46E47A27438

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x842610x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x5dc.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x82e000x3608
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x82c6c0x54.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x822bc0x824002667877be62467174ff36b7081e52043False0.9812822396833013OpenPGP Secret Key7.9840551385774425IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x860000x5dc0x60094fd0bab441fbeaab162783891a2817fFalse0.4388020833333333data4.1796841295109886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x880000xc0x2009c58dbeaba7d558a4b0bd8d381b89a4fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x860900x34cdata0.4372037914691943
                    RT_MANIFEST0x863ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-07T17:11:07.140910+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649715193.122.6.16880TCP
                    2024-10-07T17:11:08.750276+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649715193.122.6.16880TCP
                    2024-10-07T17:11:09.276504+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649719188.114.97.3443TCP
                    2024-10-07T17:11:09.937968+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649720193.122.6.16880TCP
                    2024-10-07T17:11:13.782019+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649742188.114.97.3443TCP
                    2024-10-07T17:11:15.009012+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649753188.114.97.3443TCP
                    2024-10-07T17:11:16.255851+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649762188.114.97.3443TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 7, 2024 17:11:06.306596041 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:06.311562061 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:06.311630011 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:06.311855078 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:06.317115068 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:06.901604891 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:06.924634933 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:06.929547071 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:07.096977949 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:07.140909910 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:07.145566940 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:07.145600080 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:07.145668983 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:07.152885914 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:07.152923107 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:07.622473001 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:07.622550964 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:07.670939922 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:07.670965910 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:07.671286106 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:07.719090939 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.363650084 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.407412052 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:08.476829052 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:08.476907969 CEST44349716188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:08.477054119 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.483328104 CEST49716443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.508630037 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:08.513586998 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:08.703408957 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:08.706182003 CEST49719443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.706233978 CEST44349719188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:08.706301928 CEST49719443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.706707954 CEST49719443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:08.706722021 CEST44349719188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:08.750276089 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:09.148364067 CEST44349719188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:09.151076078 CEST49719443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:09.151104927 CEST44349719188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:09.276540041 CEST44349719188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:09.276684999 CEST44349719188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:09.276742935 CEST49719443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:09.277462006 CEST49719443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:09.281605959 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:09.283216953 CEST4972080192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:09.286777973 CEST8049715193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:09.286844969 CEST4971580192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:09.288094997 CEST8049720193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:09.288258076 CEST4972080192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:09.288258076 CEST4972080192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:09.293185949 CEST8049720193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:09.885657072 CEST8049720193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:09.887032986 CEST49727443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:09.887056112 CEST44349727188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:09.887399912 CEST49727443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:09.887399912 CEST49727443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:09.887420893 CEST44349727188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:09.937968016 CEST4972080192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:11.132388115 CEST44349727188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:11.134202957 CEST49727443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:11.134213924 CEST44349727188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:11.282095909 CEST44349727188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:11.282195091 CEST44349727188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:11.282334089 CEST49727443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:11.282963991 CEST49727443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:11.288378000 CEST4972880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:11.293209076 CEST8049728193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:11.293417931 CEST4972880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:11.293417931 CEST4972880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:11.298352003 CEST8049728193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:11.912091970 CEST8049728193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:11.913479090 CEST49735443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:11.913516998 CEST44349735188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:11.913706064 CEST49735443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:11.914113998 CEST49735443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:11.914129972 CEST44349735188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:11.953399897 CEST4972880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:12.371005058 CEST44349735188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:12.372884035 CEST49735443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:12.372906923 CEST44349735188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:12.521836996 CEST44349735188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:12.521920919 CEST44349735188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:12.521989107 CEST49735443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:12.522609949 CEST49735443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:12.526549101 CEST4972880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:12.527614117 CEST4974180192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:12.532470942 CEST8049741193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:12.532577038 CEST4974180192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:12.532789946 CEST4974180192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:12.532833099 CEST8049728193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:12.532948971 CEST4972880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:12.537529945 CEST8049741193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:13.131576061 CEST8049741193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:13.134051085 CEST49742443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:13.134113073 CEST44349742188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:13.134190083 CEST49742443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:13.134501934 CEST49742443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:13.134521961 CEST44349742188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:13.172190905 CEST4974180192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:13.622545958 CEST44349742188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:13.624686956 CEST49742443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:13.624722004 CEST44349742188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:13.782027006 CEST44349742188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:13.782126904 CEST44349742188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:13.782190084 CEST49742443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:13.783442020 CEST49742443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:13.792064905 CEST4974180192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:13.793467045 CEST4974980192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:13.797513962 CEST8049741193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:13.798696041 CEST8049749193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:13.799843073 CEST4974180192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:13.799885988 CEST4974980192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:13.800121069 CEST4974980192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:13.805007935 CEST8049749193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:14.397845030 CEST8049749193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:14.399435997 CEST49753443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:14.399454117 CEST44349753188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:14.399517059 CEST49753443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:14.399848938 CEST49753443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:14.399861097 CEST44349753188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:14.437808037 CEST4974980192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:14.851145029 CEST44349753188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:14.855432034 CEST49753443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:14.855468035 CEST44349753188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:15.008858919 CEST44349753188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:15.008971930 CEST44349753188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:15.009424925 CEST49753443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:15.010124922 CEST49753443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:15.014885902 CEST4974980192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:15.016201019 CEST4975680192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:15.020576954 CEST8049749193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:15.021421909 CEST4974980192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:15.021958113 CEST8049756193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:15.025309086 CEST4975680192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:15.025450945 CEST4975680192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:15.030308008 CEST8049756193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:15.647623062 CEST8049756193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:15.649400949 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:15.649451017 CEST44349762188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:15.649950981 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:15.650343895 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:15.650361061 CEST44349762188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:15.687805891 CEST4975680192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:16.092791080 CEST44349762188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:16.140944958 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:16.148617983 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:16.148626089 CEST44349762188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:16.255812883 CEST44349762188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:16.255901098 CEST44349762188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:16.255951881 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:16.257090092 CEST49762443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:16.574316978 CEST4975680192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:16.575246096 CEST4976880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:16.579911947 CEST8049756193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:16.579968929 CEST4975680192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:16.580096960 CEST8049768193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:16.580163956 CEST4976880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:16.580286026 CEST4976880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:16.585270882 CEST8049768193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:17.169934988 CEST8049768193.122.6.168192.168.2.6
                    Oct 7, 2024 17:11:17.171261072 CEST49774443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:17.171307087 CEST44349774188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:17.171408892 CEST49774443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:17.171613932 CEST49774443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:17.171636105 CEST44349774188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:17.219407082 CEST4976880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:11:17.605633020 CEST44349774188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:17.607376099 CEST49774443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:17.607394934 CEST44349774188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:17.742955923 CEST44349774188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:17.743068933 CEST44349774188.114.97.3192.168.2.6
                    Oct 7, 2024 17:11:17.743114948 CEST49774443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:11:17.743607998 CEST49774443192.168.2.6188.114.97.3
                    Oct 7, 2024 17:12:14.884665966 CEST8049720193.122.6.168192.168.2.6
                    Oct 7, 2024 17:12:14.885159016 CEST4972080192.168.2.6193.122.6.168
                    Oct 7, 2024 17:12:22.169888973 CEST8049768193.122.6.168192.168.2.6
                    Oct 7, 2024 17:12:22.170023918 CEST4976880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:12:57.175432920 CEST4976880192.168.2.6193.122.6.168
                    Oct 7, 2024 17:12:57.180684090 CEST8049768193.122.6.168192.168.2.6

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 7, 2024 17:11:06.276932001 CEST4984853192.168.2.61.1.1.1
                    Oct 7, 2024 17:11:06.283993959 CEST53498481.1.1.1192.168.2.6
                    Oct 7, 2024 17:11:07.135936022 CEST5635853192.168.2.61.1.1.1
                    Oct 7, 2024 17:11:07.144989967 CEST53563581.1.1.1192.168.2.6
                    Oct 7, 2024 17:11:23.445686102 CEST53567561.1.1.1192.168.2.6

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Oct 7, 2024 17:11:06.276932001 CEST192.168.2.61.1.1.10xf9d0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:07.135936022 CEST192.168.2.61.1.1.10x1bafStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Oct 7, 2024 17:11:06.283993959 CEST1.1.1.1192.168.2.60xf9d0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Oct 7, 2024 17:11:06.283993959 CEST1.1.1.1192.168.2.60xf9d0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:06.283993959 CEST1.1.1.1192.168.2.60xf9d0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:06.283993959 CEST1.1.1.1192.168.2.60xf9d0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:06.283993959 CEST1.1.1.1192.168.2.60xf9d0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:06.283993959 CEST1.1.1.1192.168.2.60xf9d0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:07.144989967 CEST1.1.1.1192.168.2.60x1bafNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Oct 7, 2024 17:11:07.144989967 CEST1.1.1.1192.168.2.60x1bafNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • reallyfreegeoip.org
                    • checkip.dyndns.org

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.649715193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:06.311855078 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Oct 7, 2024 17:11:06.901604891 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:06 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 878f0fab17b851cabf4f75ad38d71d34
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Oct 7, 2024 17:11:06.924634933 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Oct 7, 2024 17:11:07.096977949 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:07 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 73eab69c0d1a0fe3ed667b467bd82acc
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Oct 7, 2024 17:11:08.508630037 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Oct 7, 2024 17:11:08.703408957 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:08 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 5bb92b0a78f6906c76a9d353fc768007
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.649720193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:09.288258076 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Oct 7, 2024 17:11:09.885657072 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:09 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: db2acbab295c738bb546df2e702dfb34
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.649728193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:11.293417931 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Oct 7, 2024 17:11:11.912091970 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:11 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: ccbfec36aba75c28d6c8dc245d1e15a0
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.649741193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:12.532789946 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Oct 7, 2024 17:11:13.131576061 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:13 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 0e3be4e828af7b41c9ecbad49b361a0f
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.649749193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:13.800121069 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Oct 7, 2024 17:11:14.397845030 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:14 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 86054d2cef32423b6f5a304b13128d7b
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.649756193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:15.025450945 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Oct 7, 2024 17:11:15.647623062 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:15 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 269860a50cad69d8d0d73fb2398319c7
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.649768193.122.6.168806248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    Oct 7, 2024 17:11:16.580286026 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Oct 7, 2024 17:11:17.169934988 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:17 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 1e0b4bbcbd2933687e30b923b7285b61
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.649716188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:08 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-10-07 15:11:08 UTC682INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:08 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70203
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SNy1elASC%2BSpdhRzoys5aRlCumu%2BB04xd%2FLKzAETbuJwUImEZ4BC3aY4tBjzB1SP67sxiulxu9%2FDd9FihhwyBZDgcVW1ojhP2%2BV1Svmq6kBHDScKmclz%2BSZhRvpLyBJ8Wlof7sMV"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed26d8d2d4288-EWR
                    2024-10-07 15:11:08 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:08 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.649719188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:09 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-10-07 15:11:09 UTC674INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:09 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70204
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zSDA2eTSmDmTqQeAFV%2Bya%2FS4EmsvbPOXtAbCuV2WQrJ9Ccyul2oGvNr3oebWzesisVdacVCoND4bsGcldXnXR9p5lKXH9BPEH3ymGGSKf2y4pxCK8p7MotTFsGYZsfRRMpAy6VGy"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed2729d380f67-EWR
                    2024-10-07 15:11:09 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:09 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.649727188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:11 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-10-07 15:11:11 UTC676INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:11 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70206
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b27qeo19SmQzi2AXHzN52EbssrcSJ%2BAz0PHpa2vYqeQpYIKNomFU6ZWboTgtUf60SVcdyLo19uMwD8RCM7NScadAuX%2FAjjWrT2MxO9xPjx7llzIqAW3bxJwrPOPVyp%2BqC44VcVfE"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed27f1bde32ca-EWR
                    2024-10-07 15:11:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:11 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.649735188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-10-07 15:11:12 UTC678INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:12 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70207
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pcPB%2BJdp4RBTO819nsnf%2F17IiEemO2GeD%2BnN64Noc0aLWkHcyj%2FDHlOBKw88EJXiMovpdL2bh9Xyz3WysfCyWpn3F18Nw9wdvue7a6MTwVepjkwBrHruTkly3tgT6FV9iaGig6iP"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed286d85c8c17-EWR
                    2024-10-07 15:11:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:12 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.649742188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:13 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-10-07 15:11:13 UTC678INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:13 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70208
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MlDvrUE0qdFfO0eHj0qZGDg4aYgNJkY%2BUbNXoXp4KccHz%2B9OeGeDZQVSeBPmyGtJ5WIYUftq15xN44Zezd4Pg2o7mw7f0a77L%2FI9jpmG7e0C%2BY8nbyFuPdvotD1uSgGoUyLn7YzP"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed28ebf5a42ad-EWR
                    2024-10-07 15:11:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:13 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.649753188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:14 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-10-07 15:11:15 UTC674INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:14 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70209
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnE6tjbhsBb7KP5145Fj8MQ2JZLO2gjvaioj%2FFSBdjq1yhqPoHCLM25EkZfCdfC6rwbPErTL5RBL0%2FCwrlA6OuetxdVMHaGTQdFpRWP2RZ9Zu07xM8CwqxBQPKfA0FOF22kHbogz"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed2965c7f43a1-EWR
                    2024-10-07 15:11:15 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:15 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.649762188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:16 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-10-07 15:11:16 UTC676INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:16 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70211
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZn4FlYroh4CVHRjCvvSv3oMS00Jadn2zqToXuAzwCMHbpOd1VJEMqYoJGAY4UzppMDYdfIi754wZsmLJZTFGnz%2FHjBHn%2Fkg13RJFIxOgo%2FFlhQYOZFlyMtJYd2w9KbNgDPMmESk"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed29e3bb442c4-EWR
                    2024-10-07 15:11:16 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:16 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.649774188.114.97.34436248C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    TimestampBytes transferredDirectionData
                    2024-10-07 15:11:17 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-10-07 15:11:17 UTC682INHTTP/1.1 200 OK
                    Date: Mon, 07 Oct 2024 15:11:17 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 70212
                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FYjKVD0nulT2NpurLJAV2lGRNwu%2B8TlW93qYCB%2B9fiLwIWJP8vqw6nguLYyg8yU%2FYbXKQnT6BYGLdXqcxZVnaS9Y016NOF5WGWKvZAur4epri%2FzNHYDce0wm6F0nHevl%2BbGjiH3L"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8ceed2a78830426b-EWR
                    2024-10-07 15:11:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-10-07 15:11:17 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:11:11:03
                    Start date:07/10/2024
                    Path:C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
                    Imagebase:0x720000
                    File size:549'896 bytes
                    MD5 hash:55846B937F549F2B9EE2994886A70C76
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:11:11:05
                    Start date:07/10/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
                    Imagebase:0x530000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:11:11:05
                    Start date:07/10/2024
                    Path:C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
                    Imagebase:0x5a0000
                    File size:549'896 bytes
                    MD5 hash:55846B937F549F2B9EE2994886A70C76
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4615792687.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:5
                    Start time:11:11:05
                    Start date:07/10/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:9.9%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:193
                      Total number of Limit Nodes:8
                      execution_graph 20223 11b4668 20224 11b467a 20223->20224 20225 11b4686 20224->20225 20229 11b4778 20224->20229 20234 11b3e28 20225->20234 20227 11b46a5 20230 11b479d 20229->20230 20238 11b4878 20230->20238 20242 11b4888 20230->20242 20235 11b3e33 20234->20235 20250 11b5c44 20235->20250 20237 11b6ff0 20237->20227 20240 11b48af 20238->20240 20239 11b498c 20240->20239 20246 11b44b0 20240->20246 20244 11b48af 20242->20244 20243 11b498c 20243->20243 20244->20243 20245 11b44b0 CreateActCtxA 20244->20245 20245->20243 20247 11b5918 CreateActCtxA 20246->20247 20249 11b59db 20247->20249 20251 11b5c4f 20250->20251 20254 11b5c64 20251->20254 20253 11b7095 20253->20237 20255 11b5c6f 20254->20255 20258 11b5c94 20255->20258 20257 11b717a 20257->20253 20259 11b5c9f 20258->20259 20262 11b5cc4 20259->20262 20261 11b726d 20261->20257 20263 11b5ccf 20262->20263 20265 11b856b 20263->20265 20268 11bac18 20263->20268 20264 11b85a9 20264->20261 20265->20264 20272 11bcd1c 20265->20272 20277 11bac3f 20268->20277 20282 11bac50 20268->20282 20269 11bac2e 20269->20265 20273 11bcd39 20272->20273 20274 11bcd5d 20273->20274 20296 11bcec8 20273->20296 20300 11bceb7 20273->20300 20274->20264 20278 11bac50 20277->20278 20286 11bad38 20278->20286 20291 11bad48 20278->20291 20279 11bac5f 20279->20269 20284 11bad38 GetModuleHandleW 20282->20284 20285 11bad48 GetModuleHandleW 20282->20285 20283 11bac5f 20283->20269 20284->20283 20285->20283 20287 11bad7c 20286->20287 20288 11bad59 20286->20288 20287->20279 20288->20287 20289 11baf80 GetModuleHandleW 20288->20289 20290 11bafad 20289->20290 20290->20279 20292 11bad7c 20291->20292 20293 11bad59 20291->20293 20292->20279 20293->20292 20294 11baf80 GetModuleHandleW 20293->20294 20295 11bafad 20294->20295 20295->20279 20297 11bced5 20296->20297 20298 11bcf0f 20297->20298 20304 11bba80 20297->20304 20298->20274 20301 11bced5 20300->20301 20302 11bcf0f 20301->20302 20303 11bba80 2 API calls 20301->20303 20302->20274 20303->20302 20305 11bba8b 20304->20305 20307 11bdc28 20305->20307 20308 11bd27c 20305->20308 20307->20307 20309 11bd287 20308->20309 20310 11b5cc4 2 API calls 20309->20310 20311 11bdc97 20310->20311 20311->20307 20214 7458ac0 20215 7458c4b 20214->20215 20216 7458ae6 20214->20216 20216->20215 20218 7455d6c 20216->20218 20219 7458d40 PostMessageW 20218->20219 20220 7458dac 20219->20220 20220->20216 20312 7456613 20313 745652e 20312->20313 20314 74564e4 20313->20314 20318 74578c0 20313->20318 20331 745792e 20313->20331 20345 74578d0 20313->20345 20319 74578d0 20318->20319 20320 745790e 20319->20320 20358 7458181 20319->20358 20363 745854a 20319->20363 20368 74583bb 20319->20368 20373 745849e 20319->20373 20378 745803f 20319->20378 20382 7457fdf 20319->20382 20386 7457e8c 20319->20386 20391 7457fd3 20319->20391 20396 7457d03 20319->20396 20401 7457df1 20319->20401 20320->20313 20332 74578bc 20331->20332 20334 7457931 20331->20334 20333 745790e 20332->20333 20335 7458181 2 API calls 20332->20335 20336 7457df1 4 API calls 20332->20336 20337 7457d03 2 API calls 20332->20337 20338 7457fd3 2 API calls 20332->20338 20339 7457e8c 2 API calls 20332->20339 20340 7457fdf 2 API calls 20332->20340 20341 745803f 2 API calls 20332->20341 20342 745849e 2 API calls 20332->20342 20343 74583bb 2 API calls 20332->20343 20344 745854a 2 API calls 20332->20344 20333->20313 20335->20333 20336->20333 20337->20333 20338->20333 20339->20333 20340->20333 20341->20333 20342->20333 20343->20333 20344->20333 20346 74578ea 20345->20346 20347 745790e 20346->20347 20348 7458181 2 API calls 20346->20348 20349 7457df1 4 API calls 20346->20349 20350 7457d03 2 API calls 20346->20350 20351 7457fd3 2 API calls 20346->20351 20352 7457e8c 2 API calls 20346->20352 20353 7457fdf 2 API calls 20346->20353 20354 745803f 2 API calls 20346->20354 20355 745849e 2 API calls 20346->20355 20356 74583bb 2 API calls 20346->20356 20357 745854a 2 API calls 20346->20357 20347->20313 20348->20347 20349->20347 20350->20347 20351->20347 20352->20347 20353->20347 20354->20347 20355->20347 20356->20347 20357->20347 20359 7457eb0 20358->20359 20360 7457ec5 20358->20360 20410 74557d0 20359->20410 20414 74557c8 20359->20414 20360->20320 20364 745856d 20363->20364 20418 7455a10 20364->20418 20422 7455a18 20364->20422 20365 7458664 20369 74583c1 20368->20369 20371 7455a10 WriteProcessMemory 20369->20371 20372 7455a18 WriteProcessMemory 20369->20372 20370 74583f6 20371->20370 20372->20370 20374 7458507 20373->20374 20376 7455a10 WriteProcessMemory 20374->20376 20377 7455a18 WriteProcessMemory 20374->20377 20375 745852b 20375->20320 20376->20375 20377->20375 20426 7455880 20378->20426 20430 7455878 20378->20430 20379 7457e6a 20379->20320 20384 7455880 Wow64SetThreadContext 20382->20384 20385 7455878 Wow64SetThreadContext 20382->20385 20383 7457ff9 20383->20320 20384->20383 20385->20383 20387 7457eb0 20386->20387 20389 74557d0 ResumeThread 20387->20389 20390 74557c8 ResumeThread 20387->20390 20388 7457ec5 20388->20320 20388->20388 20389->20388 20390->20388 20392 7458756 20391->20392 20434 7455b00 20392->20434 20438 7455b08 20392->20438 20393 7458778 20397 7457d15 20396->20397 20442 74560a0 20397->20442 20446 7456094 20397->20446 20402 7457df9 20401->20402 20450 7455950 20402->20450 20454 7455958 20402->20454 20403 7457e17 20405 7458750 20403->20405 20406 7455a10 WriteProcessMemory 20403->20406 20407 7455a18 WriteProcessMemory 20403->20407 20404 74583f6 20405->20320 20406->20404 20407->20404 20411 7455810 ResumeThread 20410->20411 20413 7455841 20411->20413 20413->20360 20415 74557d0 ResumeThread 20414->20415 20417 7455841 20415->20417 20417->20360 20419 7455a18 WriteProcessMemory 20418->20419 20421 7455ab7 20419->20421 20421->20365 20423 7455a60 WriteProcessMemory 20422->20423 20425 7455ab7 20423->20425 20425->20365 20427 74558c5 Wow64SetThreadContext 20426->20427 20429 745590d 20427->20429 20429->20379 20431 7455880 Wow64SetThreadContext 20430->20431 20433 745590d 20431->20433 20433->20379 20435 7455b08 ReadProcessMemory 20434->20435 20437 7455b97 20435->20437 20437->20393 20439 7455b53 ReadProcessMemory 20438->20439 20441 7455b97 20439->20441 20441->20393 20443 7456129 CreateProcessA 20442->20443 20445 74562eb 20443->20445 20447 74560a0 CreateProcessA 20446->20447 20449 74562eb 20447->20449 20451 7455959 VirtualAllocEx 20450->20451 20453 74559d5 20451->20453 20453->20403 20455 7455998 VirtualAllocEx 20454->20455 20457 74559d5 20455->20457 20457->20403 20221 11bd630 DuplicateHandle 20222 11bd6c6 20221->20222 20458 11bcfe0 20459 11bd026 GetCurrentProcess 20458->20459 20461 11bd078 GetCurrentThread 20459->20461 20462 11bd071 20459->20462 20463 11bd0ae 20461->20463 20464 11bd0b5 GetCurrentProcess 20461->20464 20462->20461 20463->20464 20467 11bd0eb 20464->20467 20465 11bd113 GetCurrentThreadId 20466 11bd144 20465->20466 20467->20465

                      Executed Functions

                      Function 07459550 Relevance: .4, Instructions: 400COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d10c69848daa23032dff0952855f76529b80f22050f30af82e315406803e899a
                      • Instruction ID: 3d14c3479d4311d804edf136ccbe857ede09e7fee05696e49b4502c3d3f40bd9
                      • Opcode Fuzzy Hash: d10c69848daa23032dff0952855f76529b80f22050f30af82e315406803e899a
                      • Instruction Fuzzy Hash: FAE1C8B0B01605DFDB29DB66C490BEEB7FAAF89700F14446ED5469B391CB35E801CB51
                      Function 07456D88 Relevance: .2, Instructions: 156COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1c81bd26e69b58f91056e22d7f78da54fc1f16a85022e1bc960c09252fa97a5e
                      • Instruction ID: 98398800c0f34969e5db965e11daf117b0d4fdaa7128a8e758f183bd1c57b2f4
                      • Opcode Fuzzy Hash: 1c81bd26e69b58f91056e22d7f78da54fc1f16a85022e1bc960c09252fa97a5e
                      • Instruction Fuzzy Hash: 105148B5D1A208CBDF04CFA9D4843EDFBF9BB4A700F51A42AD809A7252DB355846CF11
                      Function 07450006 Relevance: .1, Instructions: 105COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6d84a641a04b3d93d280b6619c7da54bdb92244179eb65ba7c4aaf962e25046e
                      • Instruction ID: 87bb430ef615685259fa145b054be1a002d7e0710a5f808e65ab195256ec26ac
                      • Opcode Fuzzy Hash: 6d84a641a04b3d93d280b6619c7da54bdb92244179eb65ba7c4aaf962e25046e
                      • Instruction Fuzzy Hash: 04413FB5D053988FEB05CFA6D8443DEBFB6AF8A300F05C1A7D445AA266D7780946CF50
                      Function 07450040 Relevance: .1, Instructions: 97COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1549a2057f5a78104cb894b54b55ae78c527636d6592625e3d245fbb2195728
                      • Instruction ID: 90d945c221176c6c458344476079cc8a67e9367e8546a72428af5499c74d9de1
                      • Opcode Fuzzy Hash: c1549a2057f5a78104cb894b54b55ae78c527636d6592625e3d245fbb2195728
                      • Instruction Fuzzy Hash: 6541E5B4D04218CFEB58CFA6D8447DEBBB6BF89300F00C5AAD809A7265DB755985CF50
                      Function 0745815C Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9079b567960a2f93b4a7a2f06cd155cfdf9027b6e011bb5e7e4c25d054cf2bd4
                      • Instruction ID: 5d160c8dbdb480d27b00d4bac66c79bd57d0a7aaba660a00782160d6caa27b02
                      • Opcode Fuzzy Hash: 9079b567960a2f93b4a7a2f06cd155cfdf9027b6e011bb5e7e4c25d054cf2bd4
                      • Instruction Fuzzy Hash: B7D09EF4CAE228DFDB91EE7098496F4BA7CAB1B315F5434969C0E93713DE308541CA25
                      Function 011BCFD0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 011BD05E
                      • GetCurrentThread.KERNEL32 ref: 011BD09B
                      • GetCurrentProcess.KERNEL32 ref: 011BD0D8
                      • GetCurrentThreadId.KERNEL32 ref: 011BD131
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: bcc037becc264543248bf7731821500c7a424fb2864f62c72edecd371a0f2ad0
                      • Instruction ID: 9c77787b83ebf01992877da8b92004d7bd62c0332cc60c6846b05042babf07c8
                      • Opcode Fuzzy Hash: bcc037becc264543248bf7731821500c7a424fb2864f62c72edecd371a0f2ad0
                      • Instruction Fuzzy Hash: 3D5165B090134ACFDB18CFA9D588BDEBFF1AF88314F20C559E408A7261DB74A945CB65
                      Function 011BCFE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 011BD05E
                      • GetCurrentThread.KERNEL32 ref: 011BD09B
                      • GetCurrentProcess.KERNEL32 ref: 011BD0D8
                      • GetCurrentThreadId.KERNEL32 ref: 011BD131
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 01b3c40640309c7f2f77b67eb305fff63034b712f619fcdfc3a11aff658983be
                      • Instruction ID: c8972821859929b6db73efb312e5ea2e7bcdd0d12dc1b82d005136d3846fafa9
                      • Opcode Fuzzy Hash: 01b3c40640309c7f2f77b67eb305fff63034b712f619fcdfc3a11aff658983be
                      • Instruction Fuzzy Hash: FE5157B090034ACFDB58DFA9D588BDEBBF1AF88314F20C559E409A7350DB749944CB65
                      Function 011BAD48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 44 11bad48-11bad57 45 11bad59-11bad66 call 11ba06c 44->45 46 11bad83-11bad87 44->46 51 11bad68 45->51 52 11bad7c 45->52 47 11bad9b-11baddc 46->47 48 11bad89-11bad93 46->48 55 11bade9-11badf7 47->55 56 11badde-11bade6 47->56 48->47 99 11bad6e call 11bafd1 51->99 100 11bad6e call 11bafe0 51->100 52->46 58 11bae1b-11bae1d 55->58 59 11badf9-11badfe 55->59 56->55 57 11bad74-11bad76 57->52 62 11baeb8-11baf78 57->62 63 11bae20-11bae27 58->63 60 11bae09 59->60 61 11bae00-11bae07 call 11ba078 59->61 67 11bae0b-11bae19 60->67 61->67 94 11baf7a-11baf7d 62->94 95 11baf80-11bafab GetModuleHandleW 62->95 65 11bae29-11bae31 63->65 66 11bae34-11bae3b 63->66 65->66 70 11bae48-11bae51 call 11ba088 66->70 71 11bae3d-11bae45 66->71 67->63 75 11bae5e-11bae63 70->75 76 11bae53-11bae5b 70->76 71->70 78 11bae81-11bae85 75->78 79 11bae65-11bae6c 75->79 76->75 81 11bae8b-11bae8e 78->81 79->78 80 11bae6e-11bae7e call 11ba098 call 11ba0a8 79->80 80->78 85 11baeb1-11baeb7 81->85 86 11bae90-11baeae 81->86 86->85 94->95 96 11bafad-11bafb3 95->96 97 11bafb4-11bafc8 95->97 96->97 99->57 100->57
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAF9E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID: $O$$O
                      • API String ID: 4139908857-2259736977
                      • Opcode ID: 270afe801be276250a0c2d3b9497d117dc5d097b5e5c50cffc1a61163deaca85
                      • Instruction ID: 377792b6e1536f31267a6543387f6c6e78e4193f117489a2370c48a090b376cf
                      • Opcode Fuzzy Hash: 270afe801be276250a0c2d3b9497d117dc5d097b5e5c50cffc1a61163deaca85
                      • Instruction Fuzzy Hash: 69713870A00B058FD728DF29E48579ABBF1FF88304F108A2DD58AD7A40DB75E949CB91
                      Function 07456094 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 154 7456094-7456135 157 7456137-7456141 154->157 158 745616e-745618e 154->158 157->158 159 7456143-7456145 157->159 163 74561c7-74561f6 158->163 164 7456190-745619a 158->164 161 7456147-7456151 159->161 162 7456168-745616b 159->162 165 7456155-7456164 161->165 166 7456153 161->166 162->158 174 745622f-74562e9 CreateProcessA 163->174 175 74561f8-7456202 163->175 164->163 167 745619c-745619e 164->167 165->165 168 7456166 165->168 166->165 169 74561c1-74561c4 167->169 170 74561a0-74561aa 167->170 168->162 169->163 172 74561ac 170->172 173 74561ae-74561bd 170->173 172->173 173->173 176 74561bf 173->176 186 74562f2-7456378 174->186 187 74562eb-74562f1 174->187 175->174 177 7456204-7456206 175->177 176->169 178 7456229-745622c 177->178 179 7456208-7456212 177->179 178->174 181 7456214 179->181 182 7456216-7456225 179->182 181->182 182->182 183 7456227 182->183 183->178 197 7456388-745638c 186->197 198 745637a-745637e 186->198 187->186 200 745639c-74563a0 197->200 201 745638e-7456392 197->201 198->197 199 7456380 198->199 199->197 203 74563b0-74563b4 200->203 204 74563a2-74563a6 200->204 201->200 202 7456394 201->202 202->200 205 74563c6-74563cd 203->205 206 74563b6-74563bc 203->206 204->203 207 74563a8 204->207 208 74563e4 205->208 209 74563cf-74563de 205->209 206->205 207->203 211 74563e5 208->211 209->208 211->211
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074562D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 33d9d1cd77a3eaad939cd91bba86af258b1935428d505a0917d792211bcb8460
                      • Instruction ID: c8e53e3029f25031290a733406b0baca5c23a76b630becbcbd3505fe903c7ac3
                      • Opcode Fuzzy Hash: 33d9d1cd77a3eaad939cd91bba86af258b1935428d505a0917d792211bcb8460
                      • Instruction Fuzzy Hash: 37A18FB1D0021ADFEF10DF68C8417EEBBB2BF48710F41816AE808A7241DB749981CF92
                      Function 074560A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 212 74560a0-7456135 214 7456137-7456141 212->214 215 745616e-745618e 212->215 214->215 216 7456143-7456145 214->216 220 74561c7-74561f6 215->220 221 7456190-745619a 215->221 218 7456147-7456151 216->218 219 7456168-745616b 216->219 222 7456155-7456164 218->222 223 7456153 218->223 219->215 231 745622f-74562e9 CreateProcessA 220->231 232 74561f8-7456202 220->232 221->220 224 745619c-745619e 221->224 222->222 225 7456166 222->225 223->222 226 74561c1-74561c4 224->226 227 74561a0-74561aa 224->227 225->219 226->220 229 74561ac 227->229 230 74561ae-74561bd 227->230 229->230 230->230 233 74561bf 230->233 243 74562f2-7456378 231->243 244 74562eb-74562f1 231->244 232->231 234 7456204-7456206 232->234 233->226 235 7456229-745622c 234->235 236 7456208-7456212 234->236 235->231 238 7456214 236->238 239 7456216-7456225 236->239 238->239 239->239 240 7456227 239->240 240->235 254 7456388-745638c 243->254 255 745637a-745637e 243->255 244->243 257 745639c-74563a0 254->257 258 745638e-7456392 254->258 255->254 256 7456380 255->256 256->254 260 74563b0-74563b4 257->260 261 74563a2-74563a6 257->261 258->257 259 7456394 258->259 259->257 262 74563c6-74563cd 260->262 263 74563b6-74563bc 260->263 261->260 264 74563a8 261->264 265 74563e4 262->265 266 74563cf-74563de 262->266 263->262 264->260 268 74563e5 265->268 266->265 268->268
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074562D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 08e1cafef9c42f8f2a12361b4733852582db12ecf3490b5654d31dccbcacb9f4
                      • Instruction ID: 8eb53d817c639515c9dfaf2dd80d5a893b79d79ef9b9e33332ebe5c7456324cc
                      • Opcode Fuzzy Hash: 08e1cafef9c42f8f2a12361b4733852582db12ecf3490b5654d31dccbcacb9f4
                      • Instruction Fuzzy Hash: A4917FB1D0021ADFEF10DF68C9417EEBBB2BF48710F55856AE808A7241DB749985CF92
                      Function 011B590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 269 11b590c-11b5913 270 11b591c-11b59d9 CreateActCtxA 269->270 272 11b59db-11b59e1 270->272 273 11b59e2-11b5a3c 270->273 272->273 280 11b5a4b-11b5a4f 273->280 281 11b5a3e-11b5a41 273->281 282 11b5a51-11b5a5d 280->282 283 11b5a60 280->283 281->280 282->283 285 11b5a61 283->285 285->285
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 011B59C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 9f4450f41b5a39d98ef5c5d2ea76058c250593cfff3adcb72877fba9a640bab5
                      • Instruction ID: 2e7d598222fefa2703d8c74441b26e3efeb86247427142c23577c05e93cf9493
                      • Opcode Fuzzy Hash: 9f4450f41b5a39d98ef5c5d2ea76058c250593cfff3adcb72877fba9a640bab5
                      • Instruction Fuzzy Hash: 6041D0B1C00719CBEB24CFA9C9847CDBBB6BF88314F20806AD508BB251DB75694ACF51
                      Function 011B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 286 11b44b0-11b59d9 CreateActCtxA 289 11b59db-11b59e1 286->289 290 11b59e2-11b5a3c 286->290 289->290 297 11b5a4b-11b5a4f 290->297 298 11b5a3e-11b5a41 290->298 299 11b5a51-11b5a5d 297->299 300 11b5a60 297->300 298->297 299->300 302 11b5a61 300->302 302->302
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 011B59C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 4a82f58bba61a0c945a11b8b0ab141efaa7000532e923b36b6f841b050e12600
                      • Instruction ID: 52839a943a19e18a5209bb8bb3444e32c047047aeef655999790c621a147254d
                      • Opcode Fuzzy Hash: 4a82f58bba61a0c945a11b8b0ab141efaa7000532e923b36b6f841b050e12600
                      • Instruction Fuzzy Hash: 0C41C1B0C0071DCBEB24CFAAC9847DEBBB6BF49704F20806AD508AB251DB756945CF91
                      Function 07455A10 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 303 7455a10-7455a66 306 7455a76-7455ab5 WriteProcessMemory 303->306 307 7455a68-7455a74 303->307 309 7455ab7-7455abd 306->309 310 7455abe-7455aee 306->310 307->306 309->310
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07455AA8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 7d52c6a1863b8b3454b6470e2dcd1b5facb306b493f643140a3509063ab0017a
                      • Instruction ID: 6336d3183ace5f7a2a47fb8cc289f549b9dec0d2b4f861b982e85ff658415ffd
                      • Opcode Fuzzy Hash: 7d52c6a1863b8b3454b6470e2dcd1b5facb306b493f643140a3509063ab0017a
                      • Instruction Fuzzy Hash: 2C214DB19003099FDB10CFA9C8857EEBBF5FF48310F10842AE919A7241D7759954CBA4
                      Function 07455B00 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 314 7455b00-7455b95 ReadProcessMemory 318 7455b97-7455b9d 314->318 319 7455b9e-7455bce 314->319 318->319
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07455B88
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: d7b5685d43e203f0ece7b5f2a96cf0ac374b29872812265579a3cafb398486ac
                      • Instruction ID: eb374f0b3bed11722b30307337e4868d6ca709945efb27b292e31e9290af5d15
                      • Opcode Fuzzy Hash: d7b5685d43e203f0ece7b5f2a96cf0ac374b29872812265579a3cafb398486ac
                      • Instruction Fuzzy Hash: 31214AB28003499FDB10CFAAC841BEEFBF5FF88320F50842AE519A7240C7799511CBA5
                      Function 07455A18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 334 7455a18-7455a66 336 7455a76-7455ab5 WriteProcessMemory 334->336 337 7455a68-7455a74 334->337 339 7455ab7-7455abd 336->339 340 7455abe-7455aee 336->340 337->336 339->340
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07455AA8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 7efda079a4ac311115318c9ba6147284eb00d86389214f96cf61cdced2380bdd
                      • Instruction ID: 6fddc9b4ff7b770d772e38fbff5087d0da8aac584423ba2b94b56e8015340215
                      • Opcode Fuzzy Hash: 7efda079a4ac311115318c9ba6147284eb00d86389214f96cf61cdced2380bdd
                      • Instruction Fuzzy Hash: F3212AB19003499FDF10CFA9C885BEEBBF5FF48310F10842AE918A7241D7789950CBA4
                      Function 07455878 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 323 7455878-74558cb 326 74558cd-74558d9 323->326 327 74558db-745590b Wow64SetThreadContext 323->327 326->327 329 7455914-7455944 327->329 330 745590d-7455913 327->330 330->329
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074558FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: c1cfe8de1518b17b6a2b6e6ad7cdb61bb07e3781bef88f075e0796f9e71ec488
                      • Instruction ID: 568b56978a87f05881369faeed072dbd68fae397b23f12fc4d69641c2b3dd770
                      • Opcode Fuzzy Hash: c1cfe8de1518b17b6a2b6e6ad7cdb61bb07e3781bef88f075e0796f9e71ec488
                      • Instruction Fuzzy Hash: 29218CB19003099FDB10CFAAC4817EEFBF5EF88320F50842AD559A7241CB789545CFA4
                      Function 011BD629 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 344 11bd629-11bd6c4 DuplicateHandle 345 11bd6cd-11bd6ea 344->345 346 11bd6c6-11bd6cc 344->346 346->345
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011BD6B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: eab59ad5335a476cccffc578acc03a736d1e5a9ed53c9e2fdd4a127908825304
                      • Instruction ID: 36803bb7b0166c87110e97859ad9489daf954a1fb26fb6e744ffa905cfcaf1ed
                      • Opcode Fuzzy Hash: eab59ad5335a476cccffc578acc03a736d1e5a9ed53c9e2fdd4a127908825304
                      • Instruction Fuzzy Hash: 4221E3B59012099FDB10CFAAD984ADEBFF5EB48324F14841AE918A7310D378A951CFA1
                      Function 07455B08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 359 7455b08-7455b95 ReadProcessMemory 362 7455b97-7455b9d 359->362 363 7455b9e-7455bce 359->363 362->363
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07455B88
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: c895eb62e49870e08676978232f49b560d7eb4713750c6c9d22f7112e2cf95c8
                      • Instruction ID: c831e954f4d80673686bec9329c1dc8fa2ed982485390376934f72f180941b78
                      • Opcode Fuzzy Hash: c895eb62e49870e08676978232f49b560d7eb4713750c6c9d22f7112e2cf95c8
                      • Instruction Fuzzy Hash: A0212AB18003499FDB10CF9AC845BEEFBF5FF48320F50842AE519A7240C7799510CBA5
                      Function 07455880 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 349 7455880-74558cb 351 74558cd-74558d9 349->351 352 74558db-745590b Wow64SetThreadContext 349->352 351->352 354 7455914-7455944 352->354 355 745590d-7455913 352->355 355->354
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074558FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 95d3fcaa77c7cdf31fcccd36d42e96f8b057a63551a150b75af671d06de43de0
                      • Instruction ID: 472a2066c59bb3b694f8ef2bbaa9f8474a01b2f88f055fe56a4cf7f31ce29481
                      • Opcode Fuzzy Hash: 95d3fcaa77c7cdf31fcccd36d42e96f8b057a63551a150b75af671d06de43de0
                      • Instruction Fuzzy Hash: 832168B1D003099FDB10CFAAC4817EEFBF4AF88324F54842AD519A7241CB78A944CFA0
                      Function 011BD630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011BD6B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: d5edd60f6537fd0f6cfd2a14ac149b50a3aa92b610669b2b2d9fcd7d69d19469
                      • Instruction ID: 459d3e798dc109f18598556bc6046258eff4663d4726a02b9afb8d028ada580e
                      • Opcode Fuzzy Hash: d5edd60f6537fd0f6cfd2a14ac149b50a3aa92b610669b2b2d9fcd7d69d19469
                      • Instruction Fuzzy Hash: F521B3B59002499FDB10CF9AD984ADEBBF4EB48324F14841AE918A3350D378A954CFA5
                      Function 07455950 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074559C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: cf45fbb11f6b43bb4ebf759b78419f1acedbc8bc6603e42cba870087a6a35e97
                      • Instruction ID: 598a27de7ab25473984873770f13d7fb55ef4c1e096980e8afcf9a03c7cd5757
                      • Opcode Fuzzy Hash: cf45fbb11f6b43bb4ebf759b78419f1acedbc8bc6603e42cba870087a6a35e97
                      • Instruction Fuzzy Hash: 101159B29003499FDB10DFAAC845BDEBFF5EF88320F20881AE515A7250CB799510CF90
                      Function 074557C8 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: f1ca95fd27023365888b03329c4d353c53d650a931292bfe8c1e3778121bc14d
                      • Instruction ID: 5cd40a4ec0954c757fde36f9ffeb828cbd1ebc7f72c2b2b08b46c87628f76512
                      • Opcode Fuzzy Hash: f1ca95fd27023365888b03329c4d353c53d650a931292bfe8c1e3778121bc14d
                      • Instruction Fuzzy Hash: 6F1179B19003498FEB10CFAAD4457EEFBF5EF88324F20841AD519A7200CB75A404CFA5
                      Function 07455958 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074559C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 20f2cf70bef711ff01ee3c066141068a87f9c6f33bc7218162789212d264af78
                      • Instruction ID: bedd582fa323fdeeda0045621e9002112b0aa7d5adaf1d04e18a45adceb6124c
                      • Opcode Fuzzy Hash: 20f2cf70bef711ff01ee3c066141068a87f9c6f33bc7218162789212d264af78
                      • Instruction Fuzzy Hash: 621129B29003499FDB10DFAAC845BDFFBF5AF88320F14881AE515A7250C779A550CBA1
                      Function 07458D38 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07458D9D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 377c9f647824864c079a375580bd2b037d1630919a1b39e5faf511a8e84849db
                      • Instruction ID: b7b35e67c2169bf909758d22163d80924e4934352acb00b56b8a0dda1d147607
                      • Opcode Fuzzy Hash: 377c9f647824864c079a375580bd2b037d1630919a1b39e5faf511a8e84849db
                      • Instruction Fuzzy Hash: 4C11E3B6800259DFDB10DF9AD585BDEFBF8EB88324F20841AD955A7200C775A944CFA1
                      Function 074557D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: d52e1a7fe9dc014fcb8b1b1ea94d47231663c1c6b1593401c25a75960c319e74
                      • Instruction ID: e0b04ed7c19a61c539462eb155330e148d8c5f589a3ba05c5b16ea3f5b66ceef
                      • Opcode Fuzzy Hash: d52e1a7fe9dc014fcb8b1b1ea94d47231663c1c6b1593401c25a75960c319e74
                      • Instruction Fuzzy Hash: 581128B1D003498FDB10DFAAC4457EEFBF5AF88724F24841AD519A7240CB79A540CF95
                      Function 011BAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAF9E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: bd97e12aad3f166199f1bd7a82bfad659c8e5cbc1e26b846280b53a9c407ae10
                      • Instruction ID: 5b055971010b6551ab29ff50c7f168fbb4cb2a3c4f4376db9a29309dfc30c9e2
                      • Opcode Fuzzy Hash: bd97e12aad3f166199f1bd7a82bfad659c8e5cbc1e26b846280b53a9c407ae10
                      • Instruction Fuzzy Hash: 2A11E0B6C007498FDB14CF9AD544BDEFBF4AF88224F10841AD919B7250D379A545CFA1
                      Function 07455D6C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07458D9D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 0fde7a68991ed488591dd529c9a8ccc19b7faf46c684ab55c309f8d3d9226016
                      • Instruction ID: ef6e3c2747c6f0eb55f8e9efbda3ac0db29270b6df7d196f6aa007c7608e90ba
                      • Opcode Fuzzy Hash: 0fde7a68991ed488591dd529c9a8ccc19b7faf46c684ab55c309f8d3d9226016
                      • Instruction Fuzzy Hash: 7C11F5B58003499FDB10DF9AD544BDEFBF8EB48320F10841AE914A7241C7B5A954CFA1
                      Function 00E7D3D8 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191348565.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e7d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6e5d8bb769d10765892eee507fbbeceb0eaa52aab949c19e02626abdfeb5ade0
                      • Instruction ID: 7f3447b9f7191be8ff24605eca60ccd18e0832861a497bca921a59988d343102
                      • Opcode Fuzzy Hash: 6e5d8bb769d10765892eee507fbbeceb0eaa52aab949c19e02626abdfeb5ade0
                      • Instruction Fuzzy Hash: 8B210676508204EFDB04DF14D9C0B26BF75FF94324F20C169D90D5B256D336E856CAA1
                      Function 00E8D01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191462000.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e8d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 87b1da648f1dd1d446f7d82231b988fc36ed439fc359c9217946cf0805fc3c5b
                      • Instruction ID: c3de676a06fafa468ab51b9c03dc55088886bf1baad8dde47bf1cfde5dd63a63
                      • Opcode Fuzzy Hash: 87b1da648f1dd1d446f7d82231b988fc36ed439fc359c9217946cf0805fc3c5b
                      • Instruction Fuzzy Hash: 8E210075608304EFDB14EF14D980B26BB66EB84318F20C56DD90E5B292C77AD806CB61
                      Function 00E8D1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191462000.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e8d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ebeb6ba65c20288d0e9c606be39234b74cca887b1cd05ed5242fcd57cb05af4
                      • Instruction ID: 43c95a1fb1d5928bd441840dbe3bef3277d7f6b52b3eba38e77a661fe6994ae5
                      • Opcode Fuzzy Hash: 6ebeb6ba65c20288d0e9c606be39234b74cca887b1cd05ed5242fcd57cb05af4
                      • Instruction Fuzzy Hash: F0212271508204EFDB04EF54D9C0B26BBA5FB84318F20C66DE90D5B2A2C376D806CB61
                      Function 00E8D005 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191462000.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e8d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d97473c6c295b032fc4843f97ff7329d5f1530a4d4517acee72728186d2afde8
                      • Instruction ID: 10841aeddb7d7de24c63d96b22eea8283b6718158c78ba67f9a71878d10a6b24
                      • Opcode Fuzzy Hash: d97473c6c295b032fc4843f97ff7329d5f1530a4d4517acee72728186d2afde8
                      • Instruction Fuzzy Hash: A221717550D3808FCB02DF20D990715BF71EB46314F28C5DAD8498B2A7C33A980ACB62
                      Function 00E7D3D3 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191348565.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e7d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                      • Instruction ID: 8b5c7dd459c1d9661d07294b88bbdc17937dd16f3a8cb8aab8833a5f09f882f6
                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                      • Instruction Fuzzy Hash: D211E6B6504280DFCB15CF10D9C4B16BF71FF94328F24C6A9D8094B656C33AE856CBA1
                      Function 00E8D1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191462000.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e8d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                      • Instruction ID: f70d7154a10abdd1350e1a3428d43a7f6a49ae4d4eb25a919660f307ab7fe362
                      • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                      • Instruction Fuzzy Hash: A711BB75508284DFCB01DF50C9C0B15BBA1FB84318F24C6A9D84D5B2A6C33AD81ACB61
                      Function 00E7D759 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191348565.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e7d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 838964eb39d005325bb3c0a15c914287d2b3db2ce0542d57ab82f20b40244f6a
                      • Instruction ID: 1022119b3fa606d1479e517f8ec590811ca39e44af31f53c55636a264ef9bf1c
                      • Opcode Fuzzy Hash: 838964eb39d005325bb3c0a15c914287d2b3db2ce0542d57ab82f20b40244f6a
                      • Instruction Fuzzy Hash: 2701F2724083409AE7188A69CD80B66FFA8EF41324F18D81BED0C2A286C7B89840C6B1
                      Function 00E7D758 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2191348565.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_e7d000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d09f2d6d5660a826809bb69ffd290f10dc169a3804767f9f058b6a143da7290c
                      • Instruction ID: db85318a9c6092a1c67cb2180ed03618eb7a7719861560892ead386d43013d55
                      • Opcode Fuzzy Hash: d09f2d6d5660a826809bb69ffd290f10dc169a3804767f9f058b6a143da7290c
                      • Instruction Fuzzy Hash: B7F062724093449EE7148A5ADD84B62FFA8EF51728F18C45BED4C5A286C379A844CBB1

                      Non-executed Functions

                      Function 07452BCE Relevance: .3, Instructions: 337COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7927c7ccd8510649a9f31307e2bd434e84a7438f6ad7007817684120f1e9909d
                      • Instruction ID: 61747ae05d1bcfebe0829fbeaa793184aac87c6b5cfd28164b7c484fb61a86e3
                      • Opcode Fuzzy Hash: 7927c7ccd8510649a9f31307e2bd434e84a7438f6ad7007817684120f1e9909d
                      • Instruction Fuzzy Hash: D0E10CB4E10259CFDB14DFA8C590AAEBBB2BF49304F24816AD814AB356D7709D42CF61
                      Function 07453478 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d4a4d81b513809ed3267afb17cfe11d47477ecd857a3a7d3889565fbaad5ad42
                      • Instruction ID: 85e59987b78d67e45ec407ce171a5f6d9ba9fbf09b89652904a5c93eaf8462d9
                      • Opcode Fuzzy Hash: d4a4d81b513809ed3267afb17cfe11d47477ecd857a3a7d3889565fbaad5ad42
                      • Instruction Fuzzy Hash: B4E1DDB4E102598FDB14DF99C590AAEFBF2BF89304F24825AD814A7356D730AD42CF61
                      Function 07453040 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14acf74dae0c880ca0808160cc9360107dc6e9b91f7c62ebe286739b23367591
                      • Instruction ID: 68c6cf43d536c0fbb973ce907e96778525c8e08f3b65f60ec903048419f2fb90
                      • Opcode Fuzzy Hash: 14acf74dae0c880ca0808160cc9360107dc6e9b91f7c62ebe286739b23367591
                      • Instruction Fuzzy Hash: BAE1FDB4E10259CFDB14DFA9C580AAEFBB2BF49304F248269D814A7356D730AD42CF61
                      Function 074538B0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64c484bf57a94e5e1e81eb1b0f0e15438b5217a869a77c6211de6db98680c4c4
                      • Instruction ID: c19a7f61d7fd3445a54835f9c4225b15931af9c519aa9c59c998ca81aa217c27
                      • Opcode Fuzzy Hash: 64c484bf57a94e5e1e81eb1b0f0e15438b5217a869a77c6211de6db98680c4c4
                      • Instruction Fuzzy Hash: EDE1ECB4E102598FDB14DF99C590AAEFBB2FF49304F24825AD814A7356D731AD42CF60
                      Function 07454F58 Relevance: .3, Instructions: 285COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b053c343e5479adaa453200a970af748985417271ec2e201f7150abd26039fb7
                      • Instruction ID: 3d891a31728d01be3affaf04bb415865b16179f25dd629434675d13875df638e
                      • Opcode Fuzzy Hash: b053c343e5479adaa453200a970af748985417271ec2e201f7150abd26039fb7
                      • Instruction Fuzzy Hash: 8FD1FCB4E10259CFDB14DFA9C590AAEFBB2BF49304F248259D814AB356D770AD42CF60
                      Function 011BD55C Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2192206273.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_11b0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cca1a6008cc4d7b12794eef4eca2b2cce18b419a06af5fff06297eee175cb17e
                      • Instruction ID: 7d4cdfdd42a2b7c5c1b4f17cf1f6539622550979bd9f5f5012ee0b1d54201e9c
                      • Opcode Fuzzy Hash: cca1a6008cc4d7b12794eef4eca2b2cce18b419a06af5fff06297eee175cb17e
                      • Instruction Fuzzy Hash: 64A15F32E0021A8FCF09DFB9CD845DEBBB2FF85304B15856AE905AB265DB71D916CB40
                      Function 07452C08 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2196159978.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7450000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 98e81bf9e49f1aa7d062ec430fa12676ab9e7c20a66a28fdcc77688484c6f24b
                      • Instruction ID: 7c4c455849b012dfff5de9f0cc71cd0c31bc48bd3a5774038600989a2c27a9b4
                      • Opcode Fuzzy Hash: 98e81bf9e49f1aa7d062ec430fa12676ab9e7c20a66a28fdcc77688484c6f24b
                      • Instruction Fuzzy Hash: 3051FFB5E102198FDB14DFA9C5806AEFBF2BF89304F14816AD818A7316D7719D42CF61

                      Executed Functions

                      Function 02789858 Relevance: .9, Instructions: 858COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d9f7e1e233c209a1ec8072ada46175e36e12df02d9020f9b4e90beb9473d158b
                      • Instruction ID: 2dc2e39dd7db527744edda834a275b996e3ed912331f522eae8a98528c58ccc3
                      • Opcode Fuzzy Hash: d9f7e1e233c209a1ec8072ada46175e36e12df02d9020f9b4e90beb9473d158b
                      • Instruction Fuzzy Hash: D2729171A40209DFCB15DF68C984ABEBBF2FF88314F15855AE906AB3A1D730E941CB51
                      Function 065D0D48 Relevance: .7, Instructions: 745COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec8c07a947233537623f8013a0d523b837bf4bd852f0d460db0c04a3e5488942
                      • Instruction ID: ad8d3af6416f6aeed5622dd3c83ce643a0251b36213c45651d15fb23f17876bc
                      • Opcode Fuzzy Hash: ec8c07a947233537623f8013a0d523b837bf4bd852f0d460db0c04a3e5488942
                      • Instruction Fuzzy Hash: AA826D74E012289FEB64DF69D898BDDBBB2BF89300F1081EA950DA7255DB705E81CF50
                      Function 0278E431 Relevance: .7, Instructions: 714COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8328fb45f80f4b6fd9e779bf3e089e99ce43ee31171ed2565d565b7d6006a518
                      • Instruction ID: e3a590d127efbfe9a7cde1d3c4daa7b762b32b41100cd9338236a450efb21905
                      • Opcode Fuzzy Hash: 8328fb45f80f4b6fd9e779bf3e089e99ce43ee31171ed2565d565b7d6006a518
                      • Instruction Fuzzy Hash: C672DF74E412698FDB65EF69C884BDDBBB2BB49300F1091E9E449A7355EB309E81CF40
                      Function 02786108 Relevance: .5, Instructions: 510COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7abb0e712f0fafa09f1659999bb45ea043d92741b93f3039ce49d575bd2c94ce
                      • Instruction ID: fb278e1f620a106e0cc5f9a3a3f4d6875de5197209fcdb63c2a8297e3cb535f0
                      • Opcode Fuzzy Hash: 7abb0e712f0fafa09f1659999bb45ea043d92741b93f3039ce49d575bd2c94ce
                      • Instruction Fuzzy Hash: D9128070A002199FDB14DFA9C854BAEBBFAFFC8314F148529E50A9B395DB349D41CB90
                      Function 0278B328 Relevance: .4, Instructions: 353COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e1b0fbd6533bc4e1d94ad357efcab12568c297836c9b5e308430d09dd52a799
                      • Instruction ID: de8cb8b10d7600934ec44eae05bcbff991abe29c0332347276c8882194b434ad
                      • Opcode Fuzzy Hash: 2e1b0fbd6533bc4e1d94ad357efcab12568c297836c9b5e308430d09dd52a799
                      • Instruction Fuzzy Hash: C8E11C74E40658CFDB14DFA9C894A9DBBB2FF49314F1590A9E819EB361DB30A841CF50
                      Function 02786880 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3a89bff437c8d11727eaddf2e771afab3b953f2de95db832ce6a25228efcecd6
                      • Instruction ID: 1a888f25713b8e210a89207be1ba239838de17aeb3886079f7c6fed08fc373db
                      • Opcode Fuzzy Hash: 3a89bff437c8d11727eaddf2e771afab3b953f2de95db832ce6a25228efcecd6
                      • Instruction Fuzzy Hash: 1AD16070A41119EFCB15EFA9C984AADBBFAFF88308F158065E505AB2A5D730EC41CF51
                      Function 065D85B0 Relevance: .3, Instructions: 296COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 68f116a2d2e76a7b93cfdd977d321c71f037d1375749393a9dcd3da14dff1e35
                      • Instruction ID: 57dabd14d713acde1ae231e182df4eb3ce61cc28ce62804337f677eee4d97ab5
                      • Opcode Fuzzy Hash: 68f116a2d2e76a7b93cfdd977d321c71f037d1375749393a9dcd3da14dff1e35
                      • Instruction Fuzzy Hash: D3E1C374E01218CFEB64DFA9C844B9DBBB2BF89304F2081A9D409BB395DB755A85CF50
                      Function 0278F778 Relevance: .3, Instructions: 275COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4d6d7d0ae726e2f4aa7b2bd7718ad000add7dcee6a8ce840911a7ab4efc1589f
                      • Instruction ID: e43e82c16b959dfb7fbb714752534cd493a68c9e3f5b296683b64a94818b2fef
                      • Opcode Fuzzy Hash: 4d6d7d0ae726e2f4aa7b2bd7718ad000add7dcee6a8ce840911a7ab4efc1589f
                      • Instruction Fuzzy Hash: 2FD1B274E01218CFEB14DFA5D994B9DBBB2BF89300F2081A9D809AB355DB359E81CF51
                      Function 065DBF30 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a75561e5a03f27a4060d03ece9a0c9f6b11fca4a83c3438872df8f2356f30ff6
                      • Instruction ID: b9c9bf0c38b624d632c5dcc4b9a746fe14df568fb220137f147178cd14037eeb
                      • Opcode Fuzzy Hash: a75561e5a03f27a4060d03ece9a0c9f6b11fca4a83c3438872df8f2356f30ff6
                      • Instruction Fuzzy Hash: FAA19F74E012288FEB68CF6AC944B9DFBF2BF89300F14D1AAD409A7254DB745A85CF50
                      Function 065D9FB0 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 11f6fed95b91576ffe29c3432ecb96d26c959e5bbde3dc583f4bf69bbb105e23
                      • Instruction ID: 1fad9c4b659499bba54b9f7a8fd059daf047a85e9fbf950865812f27a2ec090e
                      • Opcode Fuzzy Hash: 11f6fed95b91576ffe29c3432ecb96d26c959e5bbde3dc583f4bf69bbb105e23
                      • Instruction Fuzzy Hash: 4AA1A375E016288FEB64CF6AC944B9EFBF2BF89300F14C1AAD409A7254DB345A85CF51
                      Function 065DC580 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 612c737785d4d2739e89b9f3864b86d895f662ffd335bde881bbe9ac95bf877c
                      • Instruction ID: d3065d63c43fc824d109e7d9c89827d37466d9884950202c1dfa3992175769fc
                      • Opcode Fuzzy Hash: 612c737785d4d2739e89b9f3864b86d895f662ffd335bde881bbe9ac95bf877c
                      • Instruction Fuzzy Hash: 92A19175E012288FEB68CF6AC944B9DFBF2BF89300F14C1AAD409A7254DB745A85CF50
                      Function 065DD218 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ddf1baa0624dfc6b5bad059094327e1d83e4a735bf2367d55409d4e048cb4081
                      • Instruction ID: d689e5534a42d10fb49a69ffc2fa11ba70c8560c0db1239f3bfe525159dd6b92
                      • Opcode Fuzzy Hash: ddf1baa0624dfc6b5bad059094327e1d83e4a735bf2367d55409d4e048cb4081
                      • Instruction Fuzzy Hash: 7EA19074E012288FEB68DF6AC944B9DFBF2BF89300F14D1AAD409A7254DB745A85CF50
                      Function 065DB290 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 82a8d4f4e9518edede11e026938218d7bbb83c58a893ea39a661e00427e9eb1d
                      • Instruction ID: bad875a8f62926e58986e511cba8912b2e0d27a3be98918413b1f1a2f590970e
                      • Opcode Fuzzy Hash: 82a8d4f4e9518edede11e026938218d7bbb83c58a893ea39a661e00427e9eb1d
                      • Instruction Fuzzy Hash: 5EA1A3B4E012288FEB64CF6AD944B9DFAF2BF89300F14C1AAD409A7254DB745A85CF51
                      Function 065DB8E0 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 347ec30a758ee3ec566720a1955b4603b1d0cf590340bddf4eba536669fc4a19
                      • Instruction ID: 7268e5b78b9fa880e839150190dec3e78ccd37863df639af1264679ffc7ea8a9
                      • Opcode Fuzzy Hash: 347ec30a758ee3ec566720a1955b4603b1d0cf590340bddf4eba536669fc4a19
                      • Instruction Fuzzy Hash: 23A193B4E012288FEB64CF6AD944B9DFBF2BF89300F15C1AAD408A7254DB745A85CF51
                      Function 065DA600 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7cd3976317919c902a2e192e1476ae63fe376c84fc46e20c010de03c675bae9b
                      • Instruction ID: 2ef47c86bdf855d3994d8e016c05f8436e527f20e5492813222811e0bfaf282d
                      • Opcode Fuzzy Hash: 7cd3976317919c902a2e192e1476ae63fe376c84fc46e20c010de03c675bae9b
                      • Instruction Fuzzy Hash: 61A19275E012288FEB64CF6AC944B9EFBF2BF89300F14C1AAD409A7254DB745A85CF51
                      Function 065DAC48 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 09ead2050dec3a8e32398213ea477d8486a69a527d518d448295da935f624586
                      • Instruction ID: 2426ebbc820fdd0b7fced1779af143a01d5a058675e328b76d177ceec7341321
                      • Opcode Fuzzy Hash: 09ead2050dec3a8e32398213ea477d8486a69a527d518d448295da935f624586
                      • Instruction Fuzzy Hash: 40A19375E012288FEB64DF6AC944B9EFBF2BF89300F14C1AAD408A7255DB745A85CF50
                      Function 065DCBD0 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ea772a647a259e57e3c44fec29df9dfb8233c0017b06e2c8f7099ddca9489ab3
                      • Instruction ID: 7e5ac00f317ffcff1e09e1efc8c13100c0a19d7bf980baf88175383152717d7b
                      • Opcode Fuzzy Hash: ea772a647a259e57e3c44fec29df9dfb8233c0017b06e2c8f7099ddca9489ab3
                      • Instruction Fuzzy Hash: BEA19174E016288FEB68DF6AC944B9DFBF2BF89300F14C1AAD409A7254DB745A85CF50
                      Function 0278BEB0 Relevance: .2, Instructions: 209COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c8a259e44a9d0694016908a74d52d7ed6e71170b8d923dc756bd535aba9f3a80
                      • Instruction ID: 317dd47026c24d515e5cc156a3244b711b8988de4ec65d645dcef05bff18f84a
                      • Opcode Fuzzy Hash: c8a259e44a9d0694016908a74d52d7ed6e71170b8d923dc756bd535aba9f3a80
                      • Instruction Fuzzy Hash: D891E874E40218CFDB19EFA9D894BADBBF2BF89304F14906AE509AB355DB309941CF10
                      Function 065DAC37 Relevance: .2, Instructions: 195COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8b1f598fe6f496896d1c2d07b4ff54a6abc8640bb259d53262ec0118969a68ac
                      • Instruction ID: e7dd988d47a9872b4241cbe3bb6a2045c3bcb09c6202ad0acf84828f392becbd
                      • Opcode Fuzzy Hash: 8b1f598fe6f496896d1c2d07b4ff54a6abc8640bb259d53262ec0118969a68ac
                      • Instruction Fuzzy Hash: D291EAB1D05268CFEB25CF2AC884BD9BBB2BF89300F14C4EAD408AB255D7315A85DF51
                      Function 065D8BF9 Relevance: .2, Instructions: 189COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3c5e5538998445353662d242bdd0982e0e6d1920f2d691d88a1bb4d10c4b4f74
                      • Instruction ID: 94f34fc178a7006d37dbc698919f199f8f640db471bc2404060d8b8a341d4bd0
                      • Opcode Fuzzy Hash: 3c5e5538998445353662d242bdd0982e0e6d1920f2d691d88a1bb4d10c4b4f74
                      • Instruction Fuzzy Hash: 0281D474E00218CFDB68DFAAD8947ADBBF2BF89300F20856AD419AB394DB345945CF50
                      Function 0278C470 Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c7622cecf10ccef6db8e9180804d340208248c606225d06041b101ba52c3ed8
                      • Instruction ID: df2b90afa20a512838833f5c8c21d2c910301b34bcd07a7211d4dfb90fd1bb60
                      • Opcode Fuzzy Hash: 4c7622cecf10ccef6db8e9180804d340208248c606225d06041b101ba52c3ed8
                      • Instruction Fuzzy Hash: 3081C574E00218CFDB19DFA9D894A9DBBF2FF89310F14916AE419AB365DB709941CF20
                      Function 0278C193 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ff0ceb52d48c7fe98f4aebc5c8f56f11dc7edfd5c008458110685b0d0cf0e1d
                      • Instruction ID: 43dca724abf7f00e49ae0f06ed13d1d263bcd7c9746809a4cb36273b6aa07bb9
                      • Opcode Fuzzy Hash: 1ff0ceb52d48c7fe98f4aebc5c8f56f11dc7edfd5c008458110685b0d0cf0e1d
                      • Instruction Fuzzy Hash: 5681C674E00218CFDB19DFAAD894A9DBBF2BF89304F14806AE409AB365DB709941CF55
                      Function 0278C753 Relevance: .2, Instructions: 183COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: add23de320d4002ccb4a8b6e5b4ce3b84b4005c2c4c46ed65cd952295f9029c4
                      • Instruction ID: 64bab18edcb87a8572ef3acb7427abfb60fe5ae5155064fcf3a3666568b6f002
                      • Opcode Fuzzy Hash: add23de320d4002ccb4a8b6e5b4ce3b84b4005c2c4c46ed65cd952295f9029c4
                      • Instruction Fuzzy Hash: 6881B474E40218DFDB19DFAAD894B9DBBF2BF89310F14806AE409AB365DB749941CF10
                      Function 02784AD9 Relevance: .2, Instructions: 183COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4673770f2a31fe5ad03a2bb75095bdea2bd7a590438f6a6a84a6f35831be51ba
                      • Instruction ID: 34f60ffc9d1e55a8fefd95bb6ff5f030acffc150c4e9a2f23e280cfd1af7327e
                      • Opcode Fuzzy Hash: 4673770f2a31fe5ad03a2bb75095bdea2bd7a590438f6a6a84a6f35831be51ba
                      • Instruction Fuzzy Hash: E781B274E00259CFDB14DFAAD894B9DBBF2BF88300F149069E919AB365DB709985CF10
                      Function 0278CA33 Relevance: .2, Instructions: 182COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc711bba78f09a48131f1fc568e0af2bb1ed6cdb49b9dc8bada75ba6835b1005
                      • Instruction ID: 9df993ac630b6dca2ae0a208f042939c7a27938172425fd3a80cbcaad830876b
                      • Opcode Fuzzy Hash: bc711bba78f09a48131f1fc568e0af2bb1ed6cdb49b9dc8bada75ba6835b1005
                      • Instruction Fuzzy Hash: AB81B674E01218CFDB19DFA9D994A9DBBF2FF88300F14806AE409AB365DB749941CF20
                      Function 065D0D39 Relevance: .2, Instructions: 174COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3677330502679eefddcd17285dc135eece8dab40793e2da4af42b748d7382c65
                      • Instruction ID: 855d29088caa640427c97f34027a2db25d42ab2dcf5a10e9c515b82746d54931
                      • Opcode Fuzzy Hash: 3677330502679eefddcd17285dc135eece8dab40793e2da4af42b748d7382c65
                      • Instruction Fuzzy Hash: D7819274E452299FEB64DF29D891BDDBBB2BF89300F1081EAD509A7294DB305E81CF50
                      Function 065DA5F0 Relevance: .2, Instructions: 166COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a1037d485f5d717b460cbd259ac800fba8c8f1fd19dcad457c602a3e9b19689f
                      • Instruction ID: d9e6b06e93bca7ab065b1b6b1435997d6c4b93e107febd9a2eab828d7cd965fc
                      • Opcode Fuzzy Hash: a1037d485f5d717b460cbd259ac800fba8c8f1fd19dcad457c602a3e9b19689f
                      • Instruction Fuzzy Hash: 40718371E016188FEB68CF6AC944B9EFAF2BF89300F14C1AAD50DA7254DB345A85CF51
                      Function 065DCBC0 Relevance: .2, Instructions: 165COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 03203a7d80b980d46477350341a098d21112c57093a0fe7a8eae5abd9c0f2a06
                      • Instruction ID: 2c920c5ed7c7274cd4e6aa46c98814bd2e489418c1f375e6a31707f5c00fdbe8
                      • Opcode Fuzzy Hash: 03203a7d80b980d46477350341a098d21112c57093a0fe7a8eae5abd9c0f2a06
                      • Instruction Fuzzy Hash: 4C718371E016288FEB68DF6AC944B9DFAF2BF89300F14C1AAD40DA7254DB345A85CF51
                      Function 0278B4F3 Relevance: .2, Instructions: 153COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d39a839b7d04959e7089d80b97d93c45fa2642632278ca541f1f95f614469ee
                      • Instruction ID: 91587ce69cc1145fc7f03816ebe5c68a040440188dd45ecfa381e80456a4d78b
                      • Opcode Fuzzy Hash: 3d39a839b7d04959e7089d80b97d93c45fa2642632278ca541f1f95f614469ee
                      • Instruction Fuzzy Hash: C161D274E00608DFDB18DFAAD894A9DBBF2BF89304F14D16AE818AB365DB305941CF50
                      Function 065DC570 Relevance: .1, Instructions: 120COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 90d248f942b1284d7cd73cdc42a55703ed57bf35cf9588ba7d67392db9b3f0d7
                      • Instruction ID: ec99af0acc30ad29d29f418fbd15f9a67feee307a2f52780f606deff1ddf27fa
                      • Opcode Fuzzy Hash: 90d248f942b1284d7cd73cdc42a55703ed57bf35cf9588ba7d67392db9b3f0d7
                      • Instruction Fuzzy Hash: DB5166B1E016188BEB68CF6BD945799FAF3AFC8310F04C1AAD50CA6264DB744A85CF51
                      Function 065D85A4 Relevance: .1, Instructions: 116COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4db9d327f7b30ab553fb9eadb4759338a41aaca4e708dee3211eb7538cd49b5d
                      • Instruction ID: 3f0d29985ee552cf7a8f8f6faaf4b70d8f899588f394a377fc2b525b34f3d4df
                      • Opcode Fuzzy Hash: 4db9d327f7b30ab553fb9eadb4759338a41aaca4e708dee3211eb7538cd49b5d
                      • Instruction Fuzzy Hash: F041C3B0E006098BEB58DFAAC8447DEBBF2BF88300F14D169D418BB294DB354946CF54
                      Function 065D9FA0 Relevance: .1, Instructions: 110COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4478dfc9e5fe82ee6ac88666655d56553cae8136808a613c39efc20883f558bd
                      • Instruction ID: 1f55ba8154c644106fdfea214fc71bd3432f3dbde11527a6aa1ee22718b46d85
                      • Opcode Fuzzy Hash: 4478dfc9e5fe82ee6ac88666655d56553cae8136808a613c39efc20883f558bd
                      • Instruction Fuzzy Hash: 364148B5D016188BEB58CF6BC9457DAFAF3BFC8310F14C1AAD50CA6264DB740A858F51
                      Function 065DBF20 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a5d01c0a8c28bce2a16d809716f3ef7f0fd296bf3d588a23530fddf07f9e295e
                      • Instruction ID: 2ee9c91c8f432127ab0c37dad4794cbaf6feb752a0ca55850f4da870472d510c
                      • Opcode Fuzzy Hash: a5d01c0a8c28bce2a16d809716f3ef7f0fd296bf3d588a23530fddf07f9e295e
                      • Instruction Fuzzy Hash: 834168B1D016188BEB58CF6BCD557CAFAF7BFC8200F04C1AAD50CA6254DB741A858F54
                      Function 065DD20A Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3101e889aaa539771e7520f178fef3be3d81bd9d3544f901a6f1665ceb3e8707
                      • Instruction ID: 4f397d3508671486381e335c94859cc641e33248a29f6c4bc01e03f644798110
                      • Opcode Fuzzy Hash: 3101e889aaa539771e7520f178fef3be3d81bd9d3544f901a6f1665ceb3e8707
                      • Instruction Fuzzy Hash: 844148B1D016188BEB58CF6BDD457DAFAF3AFC9200F04C1AAD50CA6254DB744A858F50
                      Function 065DB281 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: faa29840533693b076b92b982f7c9dcb99591dc7e4dabef3d5863a5e10d60c47
                      • Instruction ID: e2797f7ac2845585d65750c2980f0f6f0fd9db6757a8c5d21b86e227d62568b5
                      • Opcode Fuzzy Hash: faa29840533693b076b92b982f7c9dcb99591dc7e4dabef3d5863a5e10d60c47
                      • Instruction Fuzzy Hash: 4F4147B1D016188BEB58CF6BDD4579AFAF3AFC8310F04C1AAD50CA6264EB740A858F55
                      Function 065DB8D0 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c07a3e899e16ce14f37de4e08401214d121f8ecce52dcf93023a9d76212135a
                      • Instruction ID: 9bfb960d792c0ff9c96093be0d2c57a305b940473581b7f2e04ece2d0a5882ea
                      • Opcode Fuzzy Hash: 4c07a3e899e16ce14f37de4e08401214d121f8ecce52dcf93023a9d76212135a
                      • Instruction Fuzzy Hash: 83416BB1D016188BEB58CF6BDD457DAFAF3AFC8210F04C1AAD50CA6254EB741A858F54
                      Function 027877F0 Relevance: .7, Instructions: 695COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff5e238922e22f0e9c6074d0360c0020d9e39425b27f502aeede59fbd3e446df
                      • Instruction ID: 3afb89c6b051f0fe2e8d21004830c2ca87cc6c16f4d084799b4f87d187f98406
                      • Opcode Fuzzy Hash: ff5e238922e22f0e9c6074d0360c0020d9e39425b27f502aeede59fbd3e446df
                      • Instruction Fuzzy Hash: 6B521174A00259CFEB159BE4C860B9FBB72EF84300F1081ADD21A6B355DF349E859F65
                      Function 027877E0 Relevance: .6, Instructions: 570COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7374bdec82978c5a11a09aec74fbaf3676546293b2475a68d4a6366f1797c794
                      • Instruction ID: 5a07e49d96a5af01a393b529461c464ee1626b392085408ee6bccc6aed3938be
                      • Opcode Fuzzy Hash: 7374bdec82978c5a11a09aec74fbaf3676546293b2475a68d4a6366f1797c794
                      • Instruction Fuzzy Hash: 4642EB74E00259CFEB159BE4C860BDEBA72EF84300F1081AED20A6B395CF755E859F65
                      Function 02786E58 Relevance: .5, Instructions: 477COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0185b80d9a423e0c4e0c1a15f9113e1239cf3da0c5faad3ec4b126aa0151aca
                      • Instruction ID: ec3000e905936d9e57e91a246de54add77baffe4541a461e0d485d7e1cf5ebc6
                      • Opcode Fuzzy Hash: d0185b80d9a423e0c4e0c1a15f9113e1239cf3da0c5faad3ec4b126aa0151aca
                      • Instruction Fuzzy Hash: B2126D34A40249DFCB18EF69C884A9EBBF2FF89314F248559E906DB261DB30ED41CB50
                      Function 0278A818 Relevance: .4, Instructions: 413COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0794920efa5a4cd854ea25cf2be396b72ba58aac7d26e8186a6488f90655d0a8
                      • Instruction ID: 83fb93d4c7a203015e154b337435612c7baf53b1122f8162daea8dbaa9842833
                      • Opcode Fuzzy Hash: 0794920efa5a4cd854ea25cf2be396b72ba58aac7d26e8186a6488f90655d0a8
                      • Instruction Fuzzy Hash: 9DF12D75A40615CFCB04DFACC984AADBBF6FF89314B1A806AE515AB361CB35EC41CB50
                      Function 02780C8F Relevance: .4, Instructions: 406COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 96a93021c96aff5f531677ad01703beba37a2d38512c1ae720751f6912330c2c
                      • Instruction ID: 55947b2acd8b9491995721bbd7aac7fbdc55d00a5911c3b2ecb4fb0a705e7cdb
                      • Opcode Fuzzy Hash: 96a93021c96aff5f531677ad01703beba37a2d38512c1ae720751f6912330c2c
                      • Instruction Fuzzy Hash: E222EF7890421ACFCB54EF64E884E9DBBB1FF88711F1086A9D549AB358EB306D85CF50
                      Function 02780CA0 Relevance: .4, Instructions: 395COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 91e6738bc7f1833ea65928c13f76d0f0cbc9e389ced945e80c7b17c6a031b764
                      • Instruction ID: 13e9e51975c9e915c9365a11657c2a96b8eb78d09977374624b412d7df5041dd
                      • Opcode Fuzzy Hash: 91e6738bc7f1833ea65928c13f76d0f0cbc9e389ced945e80c7b17c6a031b764
                      • Instruction Fuzzy Hash: 6C22DE7890421ACFCB54EF64E894E9DBBB2FF88711F1086A9D509AB358DB306D85CF50
                      Function 027887E9 Relevance: .3, Instructions: 329COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd2356a7abe2bbf81d1b18a922f2e6da0039b2d8164022fd7e9e53e62350bae0
                      • Instruction ID: 0db604599533e9f7131be8ceb62466ce4606f003eb39fd214ebb3a5629a87001
                      • Opcode Fuzzy Hash: cd2356a7abe2bbf81d1b18a922f2e6da0039b2d8164022fd7e9e53e62350bae0
                      • Instruction Fuzzy Hash: 9BB180B07951098FDB16AB29C958B393B96EFC5714F9844AAE102DF3E1EB24DC41C743
                      Function 027856A8 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd4dd7ba91033283761278d4093725f3ca1f6661acb2c0cac094260ef47c40af
                      • Instruction ID: cf42efd9459665e196598d67d187711e7c88e934391793632cd51cca621e16bd
                      • Opcode Fuzzy Hash: dd4dd7ba91033283761278d4093725f3ca1f6661acb2c0cac094260ef47c40af
                      • Instruction Fuzzy Hash: 6991BC307442458FDB16AF78C858B6E7BE2BBC8314F55892AE5468B391DF389C01CBA1
                      Function 02785C08 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d2102765aca1e1a941b99cce07d011c22e558b714ecfa006fa036aa9134d37f
                      • Instruction ID: 0ac32f6265f4bbd6da56f201b1c993061a6f410bf1cd5a44540dbd8bd6d5400b
                      • Opcode Fuzzy Hash: 2d2102765aca1e1a941b99cce07d011c22e558b714ecfa006fa036aa9134d37f
                      • Instruction Fuzzy Hash: 0181B135A81105CFCB14EFA9C888AA9B7F2FF89314B968169D905EB365D731E841CF60
                      Function 065D1F80 Relevance: .2, Instructions: 229COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb719093f6081b4717c8158fe8067c9399b3877e58bdef6c9caf583ee4a90b7c
                      • Instruction ID: 761bb8c127940c381052df1be3c9e8c26d2f3b2748b3ebc98a7844e37cea642a
                      • Opcode Fuzzy Hash: cb719093f6081b4717c8158fe8067c9399b3877e58bdef6c9caf583ee4a90b7c
                      • Instruction Fuzzy Hash: EE81D434B001068FCB64EF7CD854A6E77B6BF88650B118569E615DB3A5EB31DD02CBA0
                      Function 065D94B8 Relevance: .2, Instructions: 210COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d2b952d0e0f207b95def826fa097be3a527317899a9c783ba57948bc730e1f10
                      • Instruction ID: f96d11768e686bfdf1b791947110f07dd61dc307d08dcd38dde4c54b18753c7e
                      • Opcode Fuzzy Hash: d2b952d0e0f207b95def826fa097be3a527317899a9c783ba57948bc730e1f10
                      • Instruction Fuzzy Hash: CF717331F002199BDB59DFA8C8506AEBBB2BFC8750F544529E416B7380DF349D45CBA1
                      Function 02787438 Relevance: .2, Instructions: 201COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ad9f07ddc78d106a3c477f54bf3cacc6d5882a086a6c79325730e1f4e9a062ef
                      • Instruction ID: 09d54d322b1cef0fdc9e8ac4c73e98d00f2c113a549de24ad7788c0a5333feb5
                      • Opcode Fuzzy Hash: ad9f07ddc78d106a3c477f54bf3cacc6d5882a086a6c79325730e1f4e9a062ef
                      • Instruction Fuzzy Hash: 10714E38740215CFCB19EF28C488A6DBBE5AF89714F2540A5E906DB371DB71DC41CB90
                      Function 0278CEC7 Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 925b814b431b5090cf96a9d40a9de61c5cc085395ad911b6090a2ca90b69a101
                      • Instruction ID: f19e701e438d3db955f167e148d197e1c517554e3e55a13d52b5c82e8c4fb85b
                      • Opcode Fuzzy Hash: 925b814b431b5090cf96a9d40a9de61c5cc085395ad911b6090a2ca90b69a101
                      • Instruction Fuzzy Hash: 9451C0308A1703CFC7242F64B9AC5AABBA0FF9F363744AD44B40EC1965DB7064A5CE21
                      Function 0278CED8 Relevance: .2, Instructions: 167COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5f29f772f9797a8a6672a42aacd63a55a0a115d1c49b40def6b0cb7490f8956
                      • Instruction ID: 2e65b58375f83f1ae6247ce60ccd44a857864028f650c4593c6500fccac2abe5
                      • Opcode Fuzzy Hash: d5f29f772f9797a8a6672a42aacd63a55a0a115d1c49b40def6b0cb7490f8956
                      • Instruction Fuzzy Hash: C351AF708A1703CFC3282F64B9AC56BBBA4FF9F363745AD00B40EC19659B7064A5CE21
                      Function 0278D59F Relevance: .2, Instructions: 152COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 05095e330dddb4b03361302fbb9d0eb39b6bfbefc64562abdec42c62f60ae299
                      • Instruction ID: d9da9f049f2cce3ffd54c685f23d982400a7944b73bc65acc942451e7a66f90e
                      • Opcode Fuzzy Hash: 05095e330dddb4b03361302fbb9d0eb39b6bfbefc64562abdec42c62f60ae299
                      • Instruction Fuzzy Hash: 33611274D01219CFEB25DFF4D854AAEBBB2FF88300F208529E805AB295DB746A45CF40
                      Function 065D1D30 Relevance: .2, Instructions: 151COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c9af05b08ddb96ada65756b77811bcde24fd2e876a7d3204e74c4b83d9942e4e
                      • Instruction ID: 3c857d578d6ccdc3316d32ef378787df3a2e0915a02e342d69d763000f4da9f5
                      • Opcode Fuzzy Hash: c9af05b08ddb96ada65756b77811bcde24fd2e876a7d3204e74c4b83d9942e4e
                      • Instruction Fuzzy Hash: E551F974B09A26CFD7B8DB6CD88496A7BB1FF482547414964E506DB7A8CB30EC41CFA0
                      Function 027838F7 Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 921253ac3158e357dfa26e9d7bb347f7a81cb63bcff4d0c12503542e701b2249
                      • Instruction ID: df096492f58c63502c10338ede2dc32300e2b2b93d29224f1ec965f195311254
                      • Opcode Fuzzy Hash: 921253ac3158e357dfa26e9d7bb347f7a81cb63bcff4d0c12503542e701b2249
                      • Instruction Fuzzy Hash: 8451C675E05248CFCB09EFB9D49499DBBF2FF89301B209569E805AB365DB319846CF40
                      Function 0278CD10 Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4204061ff3ee3c52367b6318972ba9910772f147c63f1d1a8680db59c8392f6c
                      • Instruction ID: 0e28be002ab7fccd2bd47cf1c9d1a77776da48748e2246228c3593eac1600e64
                      • Opcode Fuzzy Hash: 4204061ff3ee3c52367b6318972ba9910772f147c63f1d1a8680db59c8392f6c
                      • Instruction Fuzzy Hash: CD518274E01218DFDB58DFA9D58499DBBF2FF89300F20816AE819AB365DB30A941CF50
                      Function 065DD868 Relevance: .1, Instructions: 136COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 058c14def6b339b96be9f1361d7b84f500e031e9308e04d497f6bf283f176720
                      • Instruction ID: f962aae5fc317321676613ebdede39cb5426b20f737ed87be8d406e13341a2ac
                      • Opcode Fuzzy Hash: 058c14def6b339b96be9f1361d7b84f500e031e9308e04d497f6bf283f176720
                      • Instruction Fuzzy Hash: 3E411B3594531BCFD704AFB4E45CBEEBBB1EB49312F105955D101A62D8CB781A84CFA1
                      Function 02783908 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6da060229e816cbacb634a791a663cc2abcfc2da749ef223e92df6720c8ed8b
                      • Instruction ID: 9df56acf5ec132d169acb6977f3c61e457d697c5b791d159fd49620db19a503d
                      • Opcode Fuzzy Hash: d6da060229e816cbacb634a791a663cc2abcfc2da749ef223e92df6720c8ed8b
                      • Instruction Fuzzy Hash: C951A575E01208CFCB08EFA9D59499DBBF2FF89301F609469E805AB324DB31A942CF50
                      Function 0278A650 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b40d25895b637e3405b98c282f6510e94eac9c9b989c0d6caea61cb5915bfcca
                      • Instruction ID: 9ecd07d6dddcf239550b67560a6db1592996a1e068f66e0c9b5208da48c0ed98
                      • Opcode Fuzzy Hash: b40d25895b637e3405b98c282f6510e94eac9c9b989c0d6caea61cb5915bfcca
                      • Instruction Fuzzy Hash: 9241F635B042049FCB05AB78D8146AE7FF6AFC9620F14856AE616E73D1DF319C02CBA1
                      Function 02789A63 Relevance: .1, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 369ed52b73b1e7e50a26f9a3cf52572147a97f6d9e6765a0f5dabdaa93db0207
                      • Instruction ID: a92c6e1f10a049cfa75057624fc1198851352f074035a4bf511c9269b22b124e
                      • Opcode Fuzzy Hash: 369ed52b73b1e7e50a26f9a3cf52572147a97f6d9e6765a0f5dabdaa93db0207
                      • Instruction Fuzzy Hash: C041C131A44249DFCF15DFA4C844BADBFB2BF89354F048556EA11AB391D331E910CBA5
                      Function 065D94A8 Relevance: .1, Instructions: 116COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b5c4b2e24d03a4b27adef41b817080b2a160aa784d575b46890d6c636e6f7bc
                      • Instruction ID: f37611ee27d06302e59c80c4727d816b30b33e881fd2c90f2c6a22d697cf7281
                      • Opcode Fuzzy Hash: 7b5c4b2e24d03a4b27adef41b817080b2a160aa784d575b46890d6c636e6f7bc
                      • Instruction Fuzzy Hash: 0F416275E0020ADBDB64DFA9C890ADEBBF5BF88710F158129E415B7384EB70A945CF90
                      Function 065D99F1 Relevance: .1, Instructions: 115COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 832efb130155771aff67088b8687380d33670a9deeb5512886721b28d06967dd
                      • Instruction ID: f8e2ed227d26df260c39876b7790833f00360ca4a749525ca3e30e2e5d036959
                      • Opcode Fuzzy Hash: 832efb130155771aff67088b8687380d33670a9deeb5512886721b28d06967dd
                      • Instruction Fuzzy Hash: 4E41F178E04219CFDB54DFA9D884BEEBBB1FF89304F10812AD405AB294EB346A45CF54
                      Function 02786730 Relevance: .1, Instructions: 115COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ae6a1f4e276b9ab0a49ff70adbc363be2ab57d40b13b423279e83d98faba29e
                      • Instruction ID: b8649c2009cd5d293a9938e206a8597b7e33fdad615a041d02c95f0e2b2270ca
                      • Opcode Fuzzy Hash: 0ae6a1f4e276b9ab0a49ff70adbc363be2ab57d40b13b423279e83d98faba29e
                      • Instruction Fuzzy Hash: BF41D030A04349EFCB15EF64C804BAABBFAEF84314F04846AE8559B281D774DD45CFA1
                      Function 02783428 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ba53bcd416edc4def1b80b3389743c70a59d8ddf43219fce6d5b8af6cebabff
                      • Instruction ID: b92b15032d3915eab21073e48780f38800fcd5221aa5e053a864ab682ce4b6d8
                      • Opcode Fuzzy Hash: 8ba53bcd416edc4def1b80b3389743c70a59d8ddf43219fce6d5b8af6cebabff
                      • Instruction Fuzzy Hash: 7D31E771B843258BDF196ABE849427E66DABBC4A20F14447ED90AD7380EFB4CC458761
                      Function 065D9A00 Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5bafbf9ce225e68d016cbf5f16333eec0dbf1b02038019f881de9967fc733eb6
                      • Instruction ID: 087777621cd850d678c48d38271eab88e8a0ce930a6da4e6314e543c30955fa5
                      • Opcode Fuzzy Hash: 5bafbf9ce225e68d016cbf5f16333eec0dbf1b02038019f881de9967fc733eb6
                      • Instruction Fuzzy Hash: E941F074E05219CFDB14DFA9D584AEEBBF2BF88304F10912AD405AB294EB345A46CF50
                      Function 02784DC8 Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 149f4b8fc5c3805bf540736a8873708696852e7968516e3015919421a23948c9
                      • Instruction ID: f23f6a1dfe8d62613bdff7086649e4c6d21860816d09669cf427a31fd4297391
                      • Opcode Fuzzy Hash: 149f4b8fc5c3805bf540736a8873708696852e7968516e3015919421a23948c9
                      • Instruction Fuzzy Hash: F031613264410AEFCF05AFA4D864AAF7BA6FF88310F108424F9168B255CB75DD61DBA0
                      Function 065DD859 Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b1aa6299c180a1947f868a3c679df89dcbdb755b2f54f744bbf1de91d4df27e
                      • Instruction ID: 4abf1d9dcbcf1abb0df0a617e6d6075caf26c8e6c78d1001125537400fd49431
                      • Opcode Fuzzy Hash: 7b1aa6299c180a1947f868a3c679df89dcbdb755b2f54f744bbf1de91d4df27e
                      • Instruction Fuzzy Hash: E5317F3480535ACFD704AFB4E46CBAEBBB1FF4A311F008955D111A62D4CB781A84CFA1
                      Function 027876D0 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 051a6ee4a843f5c626cff47bcf641917bcbafc1c7aef7c64a43867c913c49cf7
                      • Instruction ID: 082205bdb3a218f9373ea2c8b96876ac89ad1ed46861146040f7f10260090756
                      • Opcode Fuzzy Hash: 051a6ee4a843f5c626cff47bcf641917bcbafc1c7aef7c64a43867c913c49cf7
                      • Instruction Fuzzy Hash: 8C21A7387442434BDB1926398C94B7EBB979FC9619B288079D607CB799EF24CC42D781
                      Function 0278A809 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cf98586075cef5e3b73c3e09937ce1b6041fc953fae222cddab3e04f59dda939
                      • Instruction ID: 56fd576f8e98899a14c12f23615f8bb3c7ac3a4152f75fa9a70afa54d37602d1
                      • Opcode Fuzzy Hash: cf98586075cef5e3b73c3e09937ce1b6041fc953fae222cddab3e04f59dda939
                      • Instruction Fuzzy Hash: AE318170A446098FCB04DF6DC884AAEBBF6BF89354B158166E515973A5CB34AC42CFA0
                      Function 027876E0 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e8af01b78442cd819fe948d348c89a6e38d905bf51c2077650ce62104991696e
                      • Instruction ID: 8d7f13a6a278d746488eee902c98b4523cf6154f69a3a693bbf26863aac3950d
                      • Opcode Fuzzy Hash: e8af01b78442cd819fe948d348c89a6e38d905bf51c2077650ce62104991696e
                      • Instruction Fuzzy Hash: A521833C3442024BEB1826368894B7EB6979FC8759F288479D607CB798EF65CC42E3C0
                      Function 065D1BD0 Relevance: .1, Instructions: 85COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be8ebe8caf6aa8d1d7faa6ce97260f0428177139968040b826bb953d25738b08
                      • Instruction ID: 9eb1dfc018759bff12077a1af056befea010caa0de72933a427120200a600ec9
                      • Opcode Fuzzy Hash: be8ebe8caf6aa8d1d7faa6ce97260f0428177139968040b826bb953d25738b08
                      • Instruction Fuzzy Hash: C2212734B04A528FDBB99B6CC89487EB772BB812507054936E416D72F1DB30DC41CB91
                      Function 00DCD005 Relevance: .1, Instructions: 85COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4614357321.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_dcd000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fcad3f279e618c7d9481778436993429d3881dc44d125237662f5b9eb8416377
                      • Instruction ID: fa13a1bad07bd2f345dd42c8835e904697582ad9d66d5788f7b64f3091eb44df
                      • Opcode Fuzzy Hash: fcad3f279e618c7d9481778436993429d3881dc44d125237662f5b9eb8416377
                      • Instruction Fuzzy Hash: 36312C7550E3C49FC7138B64C990B11BF71AF47214F1985EBD8898F1A3C26A980ACB72
                      Function 02782060 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f008e95ac5e4f12afea11c10335ce3aa8837766f55c6abf88526197780ccec98
                      • Instruction ID: b00d27ab9389c3501e2d5bd7f5c6539fed5866cd2b24c2e802637b54565ef039
                      • Opcode Fuzzy Hash: f008e95ac5e4f12afea11c10335ce3aa8837766f55c6abf88526197780ccec98
                      • Instruction Fuzzy Hash: 2921F435A00149AFCB14EF24D850AAE77B5EB88360F60C459EC099B344DB31EA41CBD1
                      Function 02785A63 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9e53c883f9dee36cff7c88d748e0318cee98d2391769bd029685d1a71c58fc27
                      • Instruction ID: f6c086ea98adaf513ad169ec4a391400b66a1b8fb43045aeb972441519330a7d
                      • Opcode Fuzzy Hash: 9e53c883f9dee36cff7c88d748e0318cee98d2391769bd029685d1a71c58fc27
                      • Instruction Fuzzy Hash: 3221F2317856118FC32AAA64C4A452EBBA2EFC9661B1685A9E806CB350CF30DC06CBC1
                      Function 065D9698 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ca80d7bbb2d7d9cbf893828a6f9c66ca5b698d8cf39d9cc5002474afb634b3b
                      • Instruction ID: 8a6a7a46da4064169a7321f6ff943ca4cabf4db86ea9853fc9941e5d17a64d28
                      • Opcode Fuzzy Hash: 0ca80d7bbb2d7d9cbf893828a6f9c66ca5b698d8cf39d9cc5002474afb634b3b
                      • Instruction Fuzzy Hash: 651106363042505FDB4A6EA858245AE7BA3EFC5260B54482AE505DB3D1DF394E02C7B2
                      Function 00DCD044 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4614357321.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_dcd000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8646fcf8fb4d38a2ac63df70472d2f75fa11d80c57ec229d16f07491028a2dd3
                      • Instruction ID: 48afe3386143af41b2c3c739c4d21243285bd85390aea8e734b760e634b71958
                      • Opcode Fuzzy Hash: 8646fcf8fb4d38a2ac63df70472d2f75fa11d80c57ec229d16f07491028a2dd3
                      • Instruction Fuzzy Hash: 60210071504205EFCB14DF28C9C0F26BB62FB84314F24C57DE9490B292C77AD846DA72
                      Function 0278215C Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 787b1cb6dbf8e4a2c1d2c382a83632c6f86fc58b20cfd312b273c3123fa05e3d
                      • Instruction ID: e393c88d666e1c8789e4e0ef9f7d724b51e756546d7c03ecc2cfc6d24faef16f
                      • Opcode Fuzzy Hash: 787b1cb6dbf8e4a2c1d2c382a83632c6f86fc58b20cfd312b273c3123fa05e3d
                      • Instruction Fuzzy Hash: 83115931E0429D9BCB01EBF89C105EEFB71FFC9210B248356D555B7151EB315906C790
                      Function 02784DBB Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 711df940363845cc4eba2eaa296b23601e662e573dd7a6ca8800bffb948c0b9d
                      • Instruction ID: 5c4907136c541d1893ff1299b1d9e03e4619779ef8a08696bca000008531def4
                      • Opcode Fuzzy Hash: 711df940363845cc4eba2eaa296b23601e662e573dd7a6ca8800bffb948c0b9d
                      • Instruction Fuzzy Hash: EA21C63264824A9FCB15AF78D464BAF3FA2EF84314F104469F4468B251CB74CD66CBE0
                      Function 065DDC68 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 68e14bab1f18d894f84e345f5586e89a1a928d8c626aad79a6aee35bcc14c7ca
                      • Instruction ID: 3bd46c8d2e695d3a8218e715f42e1cb5974aef26543800a0783e3ae6023a52b1
                      • Opcode Fuzzy Hash: 68e14bab1f18d894f84e345f5586e89a1a928d8c626aad79a6aee35bcc14c7ca
                      • Instruction Fuzzy Hash: 8B1108307052549FD7141A7D98182BBBFABBFCA221F148977E106C32D6CD748C0683B1
                      Function 0278D4C0 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1598f3e26c23468e69774190a69de9875a19952cd63f3b9f1d26bd61adcfe99a
                      • Instruction ID: cb5f138e285ea1f80814fac5a53951e520f592966900348bc104ae4bbc16d729
                      • Opcode Fuzzy Hash: 1598f3e26c23468e69774190a69de9875a19952cd63f3b9f1d26bd61adcfe99a
                      • Instruction Fuzzy Hash: 2121BE7090424ADFDB45EFB8D891B9EBFF1FB81304F0082AAC0449B256EB745A458B91
                      Function 02785A70 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9def5b612fc122641705fc805de5056c09496afb8b8d7c40e7506813caf963a3
                      • Instruction ID: 877ea085587044bba748a9b7e8b4ab57a5b9cdd64cbcf58dd010fe337ddfacb4
                      • Opcode Fuzzy Hash: 9def5b612fc122641705fc805de5056c09496afb8b8d7c40e7506813caf963a3
                      • Instruction Fuzzy Hash: D511A1317816129FD719AA29C4A892EBBA6FFC86617564578E906DB350DF30DC02CBD0
                      Function 02781F61 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4d4ff16e675469f6f7d98b5faea25cf593f92816f74e677765e601543cce19f3
                      • Instruction ID: 3cdf7053e285f84a81a405bfff6c4237372219736a6410e8908405377d2aa9e6
                      • Opcode Fuzzy Hash: 4d4ff16e675469f6f7d98b5faea25cf593f92816f74e677765e601543cce19f3
                      • Instruction Fuzzy Hash: D621F474C45209CFCB04EFA8D8455EDBBF0BF49300F00416AD805B3211EB301A55CFA1
                      Function 02781F08 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b5c826b2e1589484636c0f64da743ac9a4410250be437d77b604b9a36ae6d6d
                      • Instruction ID: f7263f87e0262188a2c53cba96052af1222cbb287dcf9380df64f5c0636cfc88
                      • Opcode Fuzzy Hash: 0b5c826b2e1589484636c0f64da743ac9a4410250be437d77b604b9a36ae6d6d
                      • Instruction Fuzzy Hash: 06211575C4564A8FCB01EFA8C4984EDBFB0BF4A314F1445AAD445B7254EB305A85CBA2
                      Function 065D9941 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e165361cb2822fc55d2c6180a777422b0a605aeec8a616ab1e9d873c9d4a499e
                      • Instruction ID: 89cad79279630ff235caf6e9d683a3ddece99e865f9b6464d218cdfdb94e22eb
                      • Opcode Fuzzy Hash: e165361cb2822fc55d2c6180a777422b0a605aeec8a616ab1e9d873c9d4a499e
                      • Instruction Fuzzy Hash: 3D1112B6800249AFDB10CF99C945BDEBFF5EB48320F148419EA18A7250C379A554DFA5
                      Function 065D91E0 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d39406863d3badf836bb5ba614a8463cdfde6b86680f9590ac43b2d9c2485a7
                      • Instruction ID: 1f8160bbecfa14d7c6f71194d9b9c6c23d53d79352bdd70fd855cd8e037ae0be
                      • Opcode Fuzzy Hash: 5d39406863d3badf836bb5ba614a8463cdfde6b86680f9590ac43b2d9c2485a7
                      • Instruction Fuzzy Hash: C91133B68002099FDB10CF99C944BDEBBF5EB48320F108419E614A7250C379A550CFA5
                      Function 065D8E69 Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3fddbaa48b0cb1f5b25c94833ef05caa6ba8c480d3f27776c9b49414aef0ef30
                      • Instruction ID: fad0697cdb431e7413757ab4112289d512580128b48ddd444af333d6721e1d06
                      • Opcode Fuzzy Hash: 3fddbaa48b0cb1f5b25c94833ef05caa6ba8c480d3f27776c9b49414aef0ef30
                      • Instruction Fuzzy Hash: 92113038F401598FEB10DBF8D850BEEBBB2FB84311F019461E808A7395E77199428F51
                      Function 0278D4D0 Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 433228ace4893164ea72c9e9ddbd9ebf1ac5a543b02af761e50567831ad64364
                      • Instruction ID: e03a95e5567d38cba3f26ecfb2b6cc131d2e8e4a942a70351561041260b7ceeb
                      • Opcode Fuzzy Hash: 433228ace4893164ea72c9e9ddbd9ebf1ac5a543b02af761e50567831ad64364
                      • Instruction Fuzzy Hash: BC117F74D0020ADFDB44EFB8D891B9EBBF1FB84304F109269D004AB355EB705A458B91
                      Function 065D2210 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8d2e113d33faebd3025429e74288e203511f657d32d5fe2654f67267893b42b
                      • Instruction ID: 5b89461769a8bcd1cc0b65c46740197477391d45c598ce0d92adf2d6ceebebb2
                      • Opcode Fuzzy Hash: a8d2e113d33faebd3025429e74288e203511f657d32d5fe2654f67267893b42b
                      • Instruction Fuzzy Hash: 18118B71A202118FC7A0DB7CEC08AAA7BF4FF89325B114569E606DB710EB32D911CBD0
                      Function 02785607 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a011a621cbbfa9f04bab66cf877c1c0a9fa0e3a18e56ae28e24f789d85f351fe
                      • Instruction ID: 2ab07ba11e8bd6e7172a7e400c4fa660ae545cc7a0ff2ff567acf4c995ee01e1
                      • Opcode Fuzzy Hash: a011a621cbbfa9f04bab66cf877c1c0a9fa0e3a18e56ae28e24f789d85f351fe
                      • Instruction Fuzzy Hash: 4D01F172B440046FDB02AE699810AEF3BE7DFC8761F19806AF905D7280CE718812CBA0
                      Function 065D2188 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b61dfbfe8bd082de401883d5c8ede46acd6c555fa5e4c8fb5d6b694d7ff21331
                      • Instruction ID: 41895b15c5db056b42e4e6f8632047f77a3e6864b2a74065a9d5a3a8a33dc63c
                      • Opcode Fuzzy Hash: b61dfbfe8bd082de401883d5c8ede46acd6c555fa5e4c8fb5d6b694d7ff21331
                      • Instruction Fuzzy Hash: 0001F670E00219CFCF58EFB9C8046AEBBF5BF88200F10856AD51AE7294E7345A01CF90
                      Function 065D1CC0 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb1400b49c05e157666b933f72b847861d5a19686f6661bc00c7798c7e065ded
                      • Instruction ID: e5918ac60ebc46a20080b8926010124da01e236bf4f4487cfc9180a342985f93
                      • Opcode Fuzzy Hash: cb1400b49c05e157666b933f72b847861d5a19686f6661bc00c7798c7e065ded
                      • Instruction Fuzzy Hash: 58F0BE307056008FC764AA2EE81893677AABFC5612B1644BAE905CB3B1EA60CC418BA0
                      Function 065D9708 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 743edafbe9093d8676c601b352697ac273d230fa50401bad70aa73e31d94565e
                      • Instruction ID: 4240309d063a3c1ef434130d058abdfe8e9d4ad790dcdb8a637ac3ff770c7a9c
                      • Opcode Fuzzy Hash: 743edafbe9093d8676c601b352697ac273d230fa50401bad70aa73e31d94565e
                      • Instruction Fuzzy Hash: 37F0BE32300119AB8B05AE98AC408AF7EABEFC8260B004429FA1993280DF318D1197B5
                      Function 065D1CD0 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e445cce8e6fa53910e7d15b34ce26c13280b0260af52b46f222730993209a0e
                      • Instruction ID: 2eb901be195c0af0d9acd0bc9ad7087fef1db5f93f29dbe9dd5cc9eadc35d32b
                      • Opcode Fuzzy Hash: 5e445cce8e6fa53910e7d15b34ce26c13280b0260af52b46f222730993209a0e
                      • Instruction Fuzzy Hash: 49F08C347416008FD728BF2EE85892A77AAFFC462171584A9E506CB3A0DF30DC018BA0
                      Function 02782010 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 02d306c2186941bbef7e7ab9b6da41de43fecf549b3d4e78fdf6b1386240a8d9
                      • Instruction ID: 5efa7167b051317339752f6f4ff6e424f238c2ae1918c08b983d8242153e6393
                      • Opcode Fuzzy Hash: 02d306c2186941bbef7e7ab9b6da41de43fecf549b3d4e78fdf6b1386240a8d9
                      • Instruction Fuzzy Hash: B5E0D831E613DA5ACF03A6A4AC144EEBB38EDA7211B445197DA2077157F770290AC7B1
                      Function 02782020 Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0c8d47257b7cd41f729d3732f96dc52e5e5f8e12e02137790edaa132e8e84882
                      • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                      • Opcode Fuzzy Hash: 0c8d47257b7cd41f729d3732f96dc52e5e5f8e12e02137790edaa132e8e84882
                      • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                      Function 02788258 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                      • Instruction ID: cfcc6c3124a6b571cd5ab7cc8e3525674572b9a1f8f3897a7f68a9cc77140f9a
                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                      • Instruction Fuzzy Hash: 31C08C3328C12C2AA634708F7C40EB7BB8CC3C13F4A650237F91CE3200A942AC8041FA
                      Function 02785EA8 Relevance: .0, Instructions: 17COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 144170cd146db02920a5e56409e62c48aa7a72bc2afacf0fb8b984131521c9b7
                      • Instruction ID: dc37b6e5a81b6ae74198dddd4075646a2de58ad8d41e44c963839305655970c6
                      • Opcode Fuzzy Hash: 144170cd146db02920a5e56409e62c48aa7a72bc2afacf0fb8b984131521c9b7
                      • Instruction Fuzzy Hash: 2FD02B3440934A8BD705F374FC554153F29A6C0304F40459CB9015D016EFB9490983A2
                      Function 0278A70D Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff070d542b36c8db580c82e2718af610778a5520e3ced1001d45a328ec8ac438
                      • Instruction ID: 54d7f9f58e1cda1cbb9d13dfa0cc598fab85eeab4c74977149a355a3c8a47fd1
                      • Opcode Fuzzy Hash: ff070d542b36c8db580c82e2718af610778a5520e3ced1001d45a328ec8ac438
                      • Instruction Fuzzy Hash: F7D0677BB511089FCB089F98E8409DDB7B6FB9C221B048526E925A3260C6319921DB60
                      Function 065D1CA1 Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4618318383.00000000065D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_65d0000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 250d4779fcb1105d287cf07e13d255f32717eaacc0c64332ff889f03c32e48b0
                      • Instruction ID: 6600ae6185fdcdd92de2d9e73f38404cff340349611fcc81b9a65baacf678735
                      • Opcode Fuzzy Hash: 250d4779fcb1105d287cf07e13d255f32717eaacc0c64332ff889f03c32e48b0
                      • Instruction Fuzzy Hash: ACC012352020009FEB148600DE9EBAA7762E7C0320F29C060A00487320C220DC11C758
                      Function 02785EB8 Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4615181458.0000000002780000.00000040.00000800.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_2780000_RFQ Ref.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4fccab0136b444eb056585294e0f4e6a3bc263ff7ccc86f5c8bf4261a9a3390a
                      • Instruction ID: 5e179a3953def0163c37385f8ae4ce3fd3da5e632ba11b4f77b44b9f8850132f
                      • Opcode Fuzzy Hash: 4fccab0136b444eb056585294e0f4e6a3bc263ff7ccc86f5c8bf4261a9a3390a
                      • Instruction Fuzzy Hash: EEC0123451430E87D609F7B5F9459553B6EE6C0300F409918B10909119EFF8594457A0