Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe

Overview

General Information

Sample name:GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
Analysis ID:1562196
MD5:f1ea1b78865f0eea18a4821f45f10948
SHA1:4a5650f660f478df65cde9a2caebbc1dbe8c8d74
SHA256:31280f11bf64367779cdf2d9e04b62fd7ad53c28fd44bdf70e7793583793aca3
Tags:AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe" MD5: F1EA1B78865F0EEA18A4821F45F10948)
    • powershell.exe (PID: 2680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6508 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.4486703238.0000000002F98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2057678679.0000000006820000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000005.00000002.4486703238.0000000002F6E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", ParentImage: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, ParentProcessId: 6644, ParentProcessName: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", ProcessId: 2680, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", ParentImage: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, ParentProcessId: 6644, ParentProcessName: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", ProcessId: 2680, ProcessName: powershell.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, Initiated: true, ProcessId: 3448, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", ParentImage: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, ParentProcessId: 6644, ParentProcessName: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe", ProcessId: 2680, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 5.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}
                      Multi AV Scanner detection for submitted file
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeReversingLabs: Detection: 36%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeJoe Sandbox ML: detected
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: aYmp.pdb source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: Binary string: aYmp.pdbSHA256 source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe

                      Networking

                      barindex
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.5:49709 -> 78.110.166.82:587
                      Source: Joe Sandbox ViewIP Address: 78.110.166.82 78.110.166.82
                      Source: global trafficTCP traffic: 192.168.2.5:49709 -> 78.110.166.82:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: zqamcx.com
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0#
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2041030544.00000000025F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zqamcx.com
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 5.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_00BFD3440_2_00BFD344
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069CF2F80_2_069CF2F8
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C96580_2_069C9658
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C05590_2_069C0559
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C05600_2_069C0560
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C92000_2_069C9200
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C92200_2_069C9220
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069CB1680_2_069CB168
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069CAD300_2_069CAD30
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C9A900_2_069C9A90
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_01579B405_2_01579B40
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_01574A885_2_01574A88
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_0157CDC05_2_0157CDC0
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_01573E705_2_01573E70
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_015741B85_2_015741B8
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_0157F4A85_2_0157F4A8
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_0642C9005_2_0642C900
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_064213D85_2_064213D8
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_064457605_2_06445760
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_06442F085_2_06442F08
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_06448C0A5_2_06448C0A
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_0644DD905_2_0644DD90
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_064400405_2_06440040
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_064436375_2_06443637
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_0644BD905_2_0644BD90
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_064450685_2_06445068
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 5_2_064449E85_2_064449E8
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: invalid certificate
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000000.2024165682.0000000000264000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaYmp.exe@ vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2057678679.0000000006820000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2060477649.0000000007310000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2041030544.00000000025B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2041030544.00000000025F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2060193650.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2038171858.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4485553488.0000000000D99000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeBinary or memory string: OriginalFilenameaYmp.exe@ vs GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 5.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, ywV4egyJHNBKnEJKLL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, AN9xAWVwQAXkleQq7U.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, AN9xAWVwQAXkleQq7U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, AN9xAWVwQAXkleQq7U.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4i05ubpq.vs3.ps1Jump to behavior
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeReversingLabs: Detection: 36%
                      Source: unknownProcess created: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: aYmp.pdb source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                      Source: Binary string: aYmp.pdbSHA256 source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, AN9xAWVwQAXkleQq7U.cs.Net Code: qgj9Le1Dfd System.Reflection.Assembly.Load(byte[])
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: 0xFD42D076 [Sun Aug 24 09:46:30 2104 UTC]
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069CC5DD push eax; retf 0_2_069CC5DE
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C8AC8 push eax; retf 0_2_069C8AC9
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeCode function: 0_2_069C8BA6 push esp; retf 0_2_069C8BA7
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeStatic PE information: section name: .text entropy: 7.937984443380174
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, vg0BmkzqcWbhSpc1ro.csHigh entropy of concatenated method names: 'lN0Bv31nek', 'lFlBybj76p', 'PmKBYRom6C', 'sQRB5IIN66', 'xcQBFC0sY6', 'Bc3Bs9FpaF', 'vT4BH8lx6N', 'XJ8BtAQjA8', 'kAjBxjCutA', 'VhlBSHu2tC'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, cNOZyfd9Zyk5qd2cCba.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BfxXJ8A9fs', 'x2yXBrN8DY', 'NMOXfWRsZw', 'wnTXX8OSOZ', 'AFbXKIZRxa', 'FPBX4mtl3i', 'oR3XtyYKB7'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, yt3w9b7VrGIPcSbgeU.csHigh entropy of concatenated method names: 'R6cJgRxRwa', 'ugAJQysdcr', 'FQIJJ4Z0qT', 'PWUJf5d0XB', 'xFxJKs0f6h', 'eI4JtUvyTs', 'Dispose', 'VfTNEPkXZq', 'l6RNkEL7UX', 'yiqNeMBb8b'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, ywV4egyJHNBKnEJKLL.csHigh entropy of concatenated method names: 'RQokCEXHEV', 'kotkcxkjv7', 'jSck1WRdJL', 'fNdkUxI2py', 'rC3kOKWPIn', 'CqWkZbQH9f', 'WmHk7uHHcd', 'VKOk0MNUUR', 'bH8klAs6FO', 'G7vknxgRc4'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, fwI8gDYiykCFtX5xeu.csHigh entropy of concatenated method names: 'CZGe83hq2r', 'dNZevMRuD1', 'vAdeyLUU0R', 'R1neYKI1la', 'PnRegTM4p4', 'LNJeIq6a80', 'oOAeQamvjo', 'oHReN1hRM5', 'TSpeJdp5IZ', 'N38eBFbdty'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, bLwa3fmySUOnIfcfm9.csHigh entropy of concatenated method names: 'Yc8r6t8QVU', 'JHbraueCpV', 'MXbeqPV6u8', 'Opfes0Vs8N', 'SDmeHROBJQ', 'lYsepBOouq', 'gZNeDnA2rx', 'sMHeotB8G7', 'PnKeMuPyF1', 'A5peT6w58K'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, X1T086dwhacPHLM5JCJ.csHigh entropy of concatenated method names: 'ToString', 'qAnfypUlA0', 'KWifYrSwvv', 'VUifmV35fF', 'g0lf54qCqw', 'opwfFtVh2C', 'GyPfqCN2Jb', 'IYwfsiOXlc', 'liEjFi3Ho7wK872YC5j', 'Gbagrl3QwlSRDsbyKrN'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, jG0vMSDvHgE1Vbyiut.csHigh entropy of concatenated method names: 'Cp2PEdRStV', 'PcfPekssrF', 'kNkPALGyih', 'VYuAnclLXg', 'PU1Az1OmUB', 'edtPiHYfBc', 'u5OPdGNMP2', 'Ab4PwPFrp3', 'cLlP2rKkrq', 'MATP9Zfdna'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, cbrct8dd6OL0fdNecXH.csHigh entropy of concatenated method names: 'i0EBn4oBH4', 'FevBzYIYtZ', 'V8qfiWQGpp', 'vdWfdxVvNa', 'G5Wfw6DXb0', 'KGmf2FZv30', 'R95f9mnNQS', 'wTMfGZSNwW', 'XOffENX6K1', 'zZCfkAYeaE'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, AF6pDCZjpdWXnI4jIn.csHigh entropy of concatenated method names: 'BfjQ0CRby1', 'GL9QnNl1Li', 'g4jNi3RUjC', 'L0nNd0XU6N', 'MwLQb7b1jo', 'F5VQRHGxTn', 'W9aQW8vh3a', 'jYXQCjA9ae', 'xsVQcHPCRL', 'xl0Q1BqoqK'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, vu1SxwMQH0MeNCUMnU.csHigh entropy of concatenated method names: 'hO1PxWyEAQ', 'JafPSASD81', 'NXdPLIbP5C', 'agZP8ZmPgL', 'ftyP6Z8pSk', 'V1FPvB95nQ', 'yCZPaMl6Sj', 'V1lPyfRKUN', 'PhxPYF4uES', 'hJnPmmc9wZ'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, QjaLTc5DtZKrZVTjP0.csHigh entropy of concatenated method names: 'tQCAGXNnNq', 'qKUAkw36Rt', 'aHcArnT0DZ', 'MrJAP8DvgX', 'g5xAV8knV1', 'iGwrOZQXLT', 'w52rZh9Cif', 'ceVr7m1Z6X', 'XgPr0FCLDN', 'i4xrljOQSP'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, utXEBdky5Mri52Acxm.csHigh entropy of concatenated method names: 'Dispose', 'eIPdlcSbge', 'xVqwFdnA7D', 'zpGXOXqqjb', 'T70dnf6mV7', 'tpxdzsGpVk', 'ProcessDialogKey', 'IT6wiKYc43', 'HGIwdnHQCP', 'nv9wwYaI3V'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, Jss8H1Cp940khZn6tv.csHigh entropy of concatenated method names: 'kWZgTSm5Lx', 'chlgRBqbnF', 'QkngCq7Jcw', 'uRQgceWmuK', 'Q7VgFryImU', 'SRIgq0Lenw', 'IndgsLyeRF', 'MWtgHZ3Q91', 'DVFgpOGtRg', 'nrGgD4Af5G'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, h2gG4ydi2JpI5jL5rVT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ek3BbfMsky', 'w4FBRlA6WC', 'RRHBW8ZI3U', 'Pn5BCG7VmC', 'PWbBcGTYv9', 'QGqB1ofyoO', 'Yk5BUaq9W4'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, BKYc43lqGInHQCP3v9.csHigh entropy of concatenated method names: 'zl3J5oCo38', 'mskJFZ7MVx', 'SYCJqOhPUx', 'MX1Jsn1mJl', 'StwJHRQkrH', 'dxuJpKdR9r', 'iaFJDR0B4t', 'Mg3Jos7DQI', 'K1jJM21B97', 'xl7JTpv748'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, QS3LV81MsGOHg4YjUg.csHigh entropy of concatenated method names: 'ToString', 'qnSIbKUo3T', 'CafIFENlFY', 'V7WIqyc0XR', 'rFdIsqhxFW', 'Rq3IHLOiRM', 'hUAIpg57B1', 'S95ID2vqhG', 'v69Iof7Yf4', 'g7FIM1cWhn'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, AN9xAWVwQAXkleQq7U.csHigh entropy of concatenated method names: 'dEd2Gtgapj', 'SV62Evh5Fr', 'Puc2kRZc1Z', 'kZT2euIIcj', 'ttM2rFoZSI', 'Pu02AxgMbC', 'RAt2PugPZ1', 'hpJ2VBB3O4', 'XSd2jBnC1I', 'n802uBmn0l'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, yyYeAx9TJ5i7gmjhfP.csHigh entropy of concatenated method names: 'jGSdPwV4eg', 'sHNdVBKnEJ', 'LiydukCFtX', 'GxedhudLwa', 'tcfdgm9Wja', 'zTcdIDtZKr', 'XxMaCa5xiEeZCanSPJ', 'XtdOMqbMEDG2TRQP8b', 'ewFddN4Ge7', 'gKbd2uxBZI'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, EaI3VUnSAXRAnXnvDa.csHigh entropy of concatenated method names: 'VaTBeOkePn', 'XhuBrOsL33', 'BOaBAPeqDr', 'FbsBP3YawF', 'tEeBJulgQO', 'aq8BVPWe5D', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, CqSGQNUBRGJ0RKaRX6.csHigh entropy of concatenated method names: 'icbQu1fAcm', 'yr7Qhxu218', 'ToString', 'UXtQEQJJWL', 'luRQkycFDo', 'dmIQetpI5q', 'qhlQr4jtIu', 'hXdQAwsFnF', 'vSPQPoVRFY', 'hc6QVU70g3'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, DMvN7lWWbvuYFgyi7N.csHigh entropy of concatenated method names: 'S683yHk05c', 'eQr3YKMcjp', 'TqF35Y1sQw', 'S3H3FKOviE', 'aYN3scAg5M', 'hdO3HYfnqZ', 'Y0A3D03mQh', 'M9R3oh2Y5R', 'XXM3Tlhoxb', 'DAW3bVkC5t'
                      Source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.7280000.4.raw.unpack, yfX8EJwHvQdkXft9Ly.csHigh entropy of concatenated method names: 'iJ1LQ75lb', 'uMO83cjLb', 'ENlv9CSEH', 'ri7aShieu', 'kEHYlWmH3', 'pxvmBxQ4f', 'sBlNFS6dceBjoQLPLl', 'DAb4Zn7DYGwjbMiRaQ', 'W23NQ72pT', 'UmqBdgDyi'

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 6644, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 7510000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 8510000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 86C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 96C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6402Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3297Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWindow / User API: threadDelayed 2815Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWindow / User API: threadDelayed 6978Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 6464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1680Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 4912Thread sleep count: 2815 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 4912Thread sleep count: 6978 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99516s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99405s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99281s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99172s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -99047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98893s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98752s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98484s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98371s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98259s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98141s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -98016s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97657s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97532s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -97075s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96954s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96842s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96266s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -96047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95938s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95469s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -95110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94996s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94532s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94407s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94159s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -94032s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -93907s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -93782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe TID: 5652Thread sleep time: -93657s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99860Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99735Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99625Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99516Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99405Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99281Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99172Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 99047Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98893Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98752Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98610Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98484Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98371Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98259Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98141Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 98016Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97891Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97782Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97657Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97532Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97422Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97313Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97188Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 97075Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96954Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96842Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96719Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96610Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96500Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96375Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96266Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96156Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 96047Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95938Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95813Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95703Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95594Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95469Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95360Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95235Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 95110Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94996Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94875Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94766Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94641Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94532Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94407Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94282Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94159Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 94032Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 93907Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 93782Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeThread delayed: delay time: 93657Jump to behavior
                      Source: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeMemory written: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeProcess created: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 3448, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2057678679.0000000006820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 3448, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.37fb270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.3837a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.4486703238.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe PID: 3448, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.6820000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2057678679.0000000006820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: 0.2.GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.35ce790.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                      Software Packing                      		NTDS111
                      Security Software Discovery                      		Distributed Component Object Model21
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets1
                      Process Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials141
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562196 Sample: GLOWINGSEA_RFQ_1105-12-24-3... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 24 zqamcx.com 2->24 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 12 other signatures 2->34 8 GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe 4 2->8         started        signatures3 process4 file5 22 GLOWINGSEA_RFQ_110...077-103-AUX.exe.log, ASCII 8->22 dropped 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->36 38 Adds a directory exclusion to Windows Defender 8->38 40 Injects a PE file into a foreign processes 8->40 12 GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe 2 8->12         started        16 powershell.exe 21 8->16         started        signatures6 process7 dnsIp8 26 zqamcx.com 78.110.166.82, 49709, 49712, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 12->26 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->42 44 Tries to steal Mail credentials (via file / registry access) 12->44 46 Tries to harvest and steal ftp login credentials 12->46 50 2 other signatures 12->50 48 Loading BitLocker PowerShell Module 16->48 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe37%ReversingLabs
                      GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      zqamcx.com
                      		78.110.166.82
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://zqamcx.comGLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://r11.o.lencr.org0#GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000000.00000002.2041030544.00000000025F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.chiark.greenend.org.uk/~sgtatham/putty/0GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exefalse
                                  		high
                                  http://r11.i.lencr.org/0#GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://x1.c.lencr.org/0GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.i.lencr.org/0GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4495402281.000000000667E000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486074525.0000000001311000.00000004.00000020.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000003112000.00000004.00000800.00020000.00000000.sdmp, GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe, 00000005.00000002.4486703238.0000000002F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/DataSet1.xsdGLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exefalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          78.110.166.82
                                          		zqamcx.comUnited Kingdom
                                          		42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1562196
                                          Start date and time:2024-11-25 10:33:06 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 46s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:9
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@7/6@1/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 87
                                          • Number of non-executed functions: 9
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • VT rate limit hit for: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          04:33:56API Interceptor9300054x Sleep call for process: GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe modified
                                          04:33:58API Interceptor12x Sleep call for process: powershell.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          78.110.166.82COB756883.vbsGet hashmaliciousCobaltStrikeBrowse
                                          • windowsupdatesolutions.com/ServerCOB.txt
                                          Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                                          • www.emolcl.com/namaste/puma.php
                                          Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                                          • www.emolcl.com/namaste/puma.php

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          zqamcx.comEKSTRE_1022.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          18112024_Dokman_1 Kas_m 2024- Avans_T24-2112184_dekont.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          Halkbank_Ekstre_20241118_081142_787116.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          PO NO170300999.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          UKSERVERS-ASUKDedicatedServersHostingandCo-LocationQuote GVSE24-00815.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          EKSTRE_1022.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          New_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          18112024_Dokman_1 Kas_m 2024- Avans_T24-2112184_dekont.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          Halkbank_Ekstre_20241118_081142_787116.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          (#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          PO NO170300999.exeGet hashmaliciousAgentTeslaBrowse
                                          • 78.110.166.82
                                          sora.mips.elfGet hashmaliciousMiraiBrowse
                                          • 78.157.201.124
                                          RKsVnThLLP.exeGet hashmaliciousNjratBrowse
                                          • 94.46.207.10

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379460230152629
                                          Encrypted:false
                                          SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:fLHyIFKL3IZ2KRH9Ougss
                                          MD5:47AE6B38874AA66FC6688784E5F2EF18
                                          SHA1:AF71A58235AE5D80BDDA79DE907697354E5553F6
                                          SHA-256:F271AAB7854518D80F39793CBA35D7BFDABBFBCAC9DBD8F5E79EAE393BDC4C98
                                          SHA-512:D8FD735141FBF25FE4EFB88E973F4416A50EC0E065A297BC8B398FF96AD77EE852EA2E66BD3CAFED7C4C9EE9D24742C3D95F03DD13DBC6C1B57BFDB2F40EF1A3
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4i05ubpq.vs3.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2zn5tjr.ay5.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b35f5gue.kwz.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pej3cim4.311.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.929601750867954
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                                          File size:740'360 bytes
                                          MD5:f1ea1b78865f0eea18a4821f45f10948
                                          SHA1:4a5650f660f478df65cde9a2caebbc1dbe8c8d74
                                          SHA256:31280f11bf64367779cdf2d9e04b62fd7ad53c28fd44bdf70e7793583793aca3
                                          SHA512:8cc7ff357c77376f53e51488fba5e36eae315b802992e80c66632378ede67cd83f0a2a6dfac960eccb41e674530998c2d0711d2d6adc7d6a6079991a4f0ffb8c
                                          SSDEEP:12288:6A0iJ3RbeXN4sa4qHqZa6f4FSL1dzYKiURhZHtrFJVbkR:6HiJ35eXNO4qif4giURhfZX+
                                          TLSH:C5F4128173B4DF92E2B95FF95815E34147F1E1162571E2088ECBA0DF2EC3B528A52B1B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.B...............0..............)... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4b291e
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xFD42D076 [Sun Aug 24 09:46:30 2104 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                          Subject Chain
                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                          Version:3
                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                          Serial:7C1118CBBADC95DA3752C46E47A27438

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb28ca0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x628.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xb16000x3608
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xafe780x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb09240xb0a001d3ba62c37e65f9f751d93f968c0034fFalse0.9481364450636943data7.937984443380174IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xb40000x6280x800721fb21ebf9a640bd699ff833422233fFalse0.337890625data3.461386674263737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xb60000xc0x2001586dc2e121eb5309e4f79627e21fff3False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xb40900x398OpenPGP Public Key0.4206521739130435
                                          RT_MANIFEST0xb44380x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 25, 2024 10:34:00.999331951 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:01.120397091 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:01.120487928 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:02.541858912 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:02.542685032 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:02.662800074 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:02.939534903 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:02.939749956 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:03.060064077 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:03.335614920 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:03.342375994 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:03.463068962 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:03.748866081 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:03.748883009 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:03.748893976 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:03.749129057 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:03.775146008 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:03.894800901 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:04.186345100 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:04.199269056 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:04.321544886 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:04.597507954 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:04.598659992 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:04.718307972 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:04.993607998 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:04.994726896 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:05.114460945 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:05.403065920 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:05.403820038 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:05.524454117 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:05.798528910 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:05.805370092 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:05.924927950 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.211427927 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.215430021 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:06.335045099 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.610089064 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.611049891 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:06.611093044 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:06.611150026 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:06.611150026 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:06.732919931 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.732954979 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.734961987 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:06.734972000 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:07.117882967 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:07.168376923 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:07.169411898 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:07.289055109 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:07.616560936 CET5874970978.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:07.620421886 CET49709587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:07.620843887 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:07.741547108 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:07.741717100 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:08.982822895 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:08.983068943 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:09.102534056 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:09.378376961 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:09.378562927 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:09.498308897 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:09.774930000 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:09.775697947 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:09.895267010 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.199266911 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.199304104 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.199348927 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.199359894 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.199439049 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:10.201114893 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:10.320620060 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.596188068 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.597451925 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:10.717370033 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.992487907 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:10.992748022 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:11.113115072 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:11.388457060 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:11.388828993 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:11.508522034 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:11.795433044 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:11.795981884 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:11.915874004 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:12.191025019 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:12.191277981 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.310904980 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:12.597403049 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:12.597706079 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.717367887 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:12.992881060 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:12.994335890 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994379044 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994436026 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994436026 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994493008 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994555950 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994597912 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994597912 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994635105 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:12.994635105 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:13.293363094 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:13.518867970 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.518965960 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:34:13.519021034 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519031048 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519047022 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519104004 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519113064 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519304991 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519320011 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519329071 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519340038 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519356966 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.519383907 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.834937096 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:34:13.887079000 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:35:40.340440035 CET49712587192.168.2.578.110.166.82
                                          Nov 25, 2024 10:35:40.459935904 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:35:40.736727953 CET5874971278.110.166.82192.168.2.5
                                          Nov 25, 2024 10:35:40.740854025 CET49712587192.168.2.578.110.166.82

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 25, 2024 10:34:00.334506989 CET5159853192.168.2.51.1.1.1
                                          Nov 25, 2024 10:34:00.986502886 CET53515981.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 25, 2024 10:34:00.334506989 CET192.168.2.51.1.1.10x2347Standard query (0)zqamcx.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 25, 2024 10:34:00.986502886 CET1.1.1.1192.168.2.50x2347No error (0)zqamcx.com78.110.166.82A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Nov 25, 2024 10:34:02.541858912 CET5874970978.110.166.82192.168.2.5220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 25 Nov 2024 09:34:02 +0000
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Nov 25, 2024 10:34:02.542685032 CET49709587192.168.2.578.110.166.82EHLO 618321
                                          Nov 25, 2024 10:34:02.939534903 CET5874970978.110.166.82192.168.2.5250-cphost14.qhoster.net Hello 618321 [8.46.123.75]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPECONNECT
                                          250-STARTTLS
                                          250 HELP
                                          Nov 25, 2024 10:34:02.939749956 CET49709587192.168.2.578.110.166.82STARTTLS
                                          Nov 25, 2024 10:34:03.335614920 CET5874970978.110.166.82192.168.2.5220 TLS go ahead
                                          Nov 25, 2024 10:34:08.982822895 CET5874971278.110.166.82192.168.2.5220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 25 Nov 2024 09:34:08 +0000
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Nov 25, 2024 10:34:08.983068943 CET49712587192.168.2.578.110.166.82EHLO 618321
                                          Nov 25, 2024 10:34:09.378376961 CET5874971278.110.166.82192.168.2.5250-cphost14.qhoster.net Hello 618321 [8.46.123.75]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPECONNECT
                                          250-STARTTLS
                                          250 HELP
                                          Nov 25, 2024 10:34:09.378562927 CET49712587192.168.2.578.110.166.82STARTTLS
                                          Nov 25, 2024 10:34:09.774930000 CET5874971278.110.166.82192.168.2.5220 TLS go ahead

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:04:33:55
                                          Start date:25/11/2024
                                          Path:C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                                          Imagebase:0x1b0000
                                          File size:740'360 bytes
                                          MD5 hash:F1EA1B78865F0EEA18A4821F45F10948
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2057678679.0000000006820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2050350308.00000000035B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:04:33:56
                                          Start date:25/11/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                                          Imagebase:0xbb0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:04:33:56
                                          Start date:25/11/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:04:33:56
                                          Start date:25/11/2024
                                          Path:C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.exe"
                                          Imagebase:0xb50000
                                          File size:740'360 bytes
                                          MD5 hash:F1EA1B78865F0EEA18A4821F45F10948
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4485380510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4486703238.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4486703238.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4486703238.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4486703238.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:04:34:00
                                          Start date:25/11/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff6ef0c0000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:177
                                            Total number of Limit Nodes:8
                                            execution_graph 25337 69ce3b8 25338 69ce543 25337->25338 25340 69ce3de 25337->25340 25340->25338 25341 69c87d8 25340->25341 25342 69ce638 PostMessageW 25341->25342 25343 69ce6a4 25342->25343 25343->25340 25344 bfd418 25345 bfd45e 25344->25345 25349 bfd5e9 25345->25349 25352 bfd5f8 25345->25352 25346 bfd54b 25351 bfd626 25349->25351 25355 bfb770 25349->25355 25351->25346 25353 bfb770 DuplicateHandle 25352->25353 25354 bfd626 25353->25354 25354->25346 25356 bfd660 DuplicateHandle 25355->25356 25357 bfd6f6 25356->25357 25357->25351 25372 bf4668 25373 bf467a 25372->25373 25374 bf4686 25373->25374 25376 bf4778 25373->25376 25377 bf479d 25376->25377 25381 bf4879 25377->25381 25385 bf4888 25377->25385 25382 bf4888 25381->25382 25383 bf498c 25382->25383 25389 bf44b4 25382->25389 25386 bf48af 25385->25386 25387 bf498c 25386->25387 25388 bf44b4 CreateActCtxA 25386->25388 25388->25387 25390 bf5918 CreateActCtxA 25389->25390 25392 bf59db 25390->25392 25393 69cc2a4 25397 69cd170 25393->25397 25414 69cd160 25393->25414 25394 69cc2b8 25398 69cd18a 25397->25398 25431 69cd83b 25398->25431 25436 69cda5b 25398->25436 25440 69cd75b 25398->25440 25444 69cdd7a 25398->25444 25452 69cd8bf 25398->25452 25457 69cdb5f 25398->25457 25465 69cd61d 25398->25465 25470 69cd79c 25398->25470 25481 69cdbdc 25398->25481 25486 69cd6e3 25398->25486 25494 69cd722 25398->25494 25498 69cd708 25398->25498 25506 69cd68c 25398->25506 25510 69cd7bb 25398->25510 25399 69cd1ae 25399->25394 25415 69cd170 25414->25415 25417 69cdbdc 2 API calls 25415->25417 25418 69cd79c 6 API calls 25415->25418 25419 69cd61d 2 API calls 25415->25419 25420 69cdb5f 4 API calls 25415->25420 25421 69cd8bf 2 API calls 25415->25421 25422 69cdd7a 4 API calls 25415->25422 25423 69cd75b 2 API calls 25415->25423 25424 69cda5b 2 API calls 25415->25424 25425 69cd83b 2 API calls 25415->25425 25426 69cd7bb 4 API calls 25415->25426 25427 69cd68c 2 API calls 25415->25427 25428 69cd708 4 API calls 25415->25428 25429 69cd722 2 API calls 25415->25429 25430 69cd6e3 4 API calls 25415->25430 25416 69cd1ae 25416->25394 25417->25416 25418->25416 25419->25416 25420->25416 25421->25416 25422->25416 25423->25416 25424->25416 25425->25416 25426->25416 25427->25416 25428->25416 25429->25416 25430->25416 25432 69cd85e 25431->25432 25518 69cbbd8 25432->25518 25522 69cbbd1 25432->25522 25433 69cde21 25438 69cbbd8 WriteProcessMemory 25436->25438 25439 69cbbd1 WriteProcessMemory 25436->25439 25437 69cda7f 25437->25399 25438->25437 25439->25437 25526 69cbcc8 25440->25526 25530 69cbcc0 25440->25530 25441 69cd77d 25441->25399 25446 69cd6ef 25444->25446 25445 69cd8f2 25445->25399 25446->25445 25447 69cd873 25446->25447 25542 69cba39 25446->25542 25546 69cba40 25446->25546 25534 69cb98b 25447->25534 25538 69cb990 25447->25538 25453 69cd8c5 25452->25453 25455 69cb98b ResumeThread 25453->25455 25456 69cb990 ResumeThread 25453->25456 25454 69cd8f2 25455->25454 25456->25454 25458 69cd6ef 25457->25458 25459 69cd873 25458->25459 25460 69cd8f2 25458->25460 25463 69cba39 Wow64SetThreadContext 25458->25463 25464 69cba40 Wow64SetThreadContext 25458->25464 25461 69cb98b ResumeThread 25459->25461 25462 69cb990 ResumeThread 25459->25462 25460->25399 25461->25460 25462->25460 25463->25459 25464->25459 25466 69cd627 25465->25466 25467 69cd6c4 25466->25467 25550 69cbe55 25466->25550 25554 69cbe60 25466->25554 25471 69cd7a9 25470->25471 25472 69cd6ef 25471->25472 25477 69cbbd8 WriteProcessMemory 25471->25477 25478 69cbbd1 WriteProcessMemory 25471->25478 25473 69cd873 25472->25473 25474 69cd8f2 25472->25474 25479 69cba39 Wow64SetThreadContext 25472->25479 25480 69cba40 Wow64SetThreadContext 25472->25480 25475 69cb98b ResumeThread 25473->25475 25476 69cb990 ResumeThread 25473->25476 25474->25399 25475->25474 25476->25474 25477->25472 25478->25472 25479->25473 25480->25473 25482 69cdbee 25481->25482 25558 69cbb18 25482->25558 25562 69cbb11 25482->25562 25483 69cdffd 25488 69cd6ef 25486->25488 25487 69cd8f2 25487->25399 25488->25487 25489 69cd873 25488->25489 25492 69cba39 Wow64SetThreadContext 25488->25492 25493 69cba40 Wow64SetThreadContext 25488->25493 25490 69cb98b ResumeThread 25489->25490 25491 69cb990 ResumeThread 25489->25491 25490->25487 25491->25487 25492->25489 25493->25489 25496 69cba39 Wow64SetThreadContext 25494->25496 25497 69cba40 Wow64SetThreadContext 25494->25497 25495 69cd73c 25495->25399 25496->25495 25497->25495 25500 69cd6ef 25498->25500 25499 69cd8f2 25499->25399 25500->25499 25501 69cd873 25500->25501 25504 69cba39 Wow64SetThreadContext 25500->25504 25505 69cba40 Wow64SetThreadContext 25500->25505 25502 69cb98b ResumeThread 25501->25502 25503 69cb990 ResumeThread 25501->25503 25502->25499 25503->25499 25504->25501 25505->25501 25508 69cbe55 CreateProcessA 25506->25508 25509 69cbe60 CreateProcessA 25506->25509 25507 69cd6c4 25508->25507 25509->25507 25511 69cd6ef 25510->25511 25512 69cd8f2 25511->25512 25513 69cd7f4 25511->25513 25514 69cba39 Wow64SetThreadContext 25511->25514 25515 69cba40 Wow64SetThreadContext 25511->25515 25512->25399 25516 69cb98b ResumeThread 25513->25516 25517 69cb990 ResumeThread 25513->25517 25514->25513 25515->25513 25516->25512 25517->25512 25519 69cbc20 WriteProcessMemory 25518->25519 25521 69cbc77 25519->25521 25521->25433 25523 69cbbd8 WriteProcessMemory 25522->25523 25525 69cbc77 25523->25525 25525->25433 25527 69cbd13 ReadProcessMemory 25526->25527 25529 69cbd57 25527->25529 25529->25441 25531 69cbcc8 ReadProcessMemory 25530->25531 25533 69cbd57 25531->25533 25533->25441 25535 69cb9d0 ResumeThread 25534->25535 25537 69cba01 25535->25537 25537->25445 25539 69cb9d0 ResumeThread 25538->25539 25541 69cba01 25539->25541 25541->25445 25543 69cba40 Wow64SetThreadContext 25542->25543 25545 69cbacd 25543->25545 25545->25447 25547 69cba85 Wow64SetThreadContext 25546->25547 25549 69cbacd 25547->25549 25549->25447 25551 69cbe60 CreateProcessA 25550->25551 25553 69cc0ab 25551->25553 25555 69cbee9 CreateProcessA 25554->25555 25557 69cc0ab 25555->25557 25559 69cbb58 VirtualAllocEx 25558->25559 25561 69cbb95 25559->25561 25561->25483 25563 69cbb18 VirtualAllocEx 25562->25563 25565 69cbb95 25563->25565 25565->25483 25358 bfac90 25362 bfad88 25358->25362 25367 bfad87 25358->25367 25359 bfac9f 25363 bfadbc 25362->25363 25364 bfad99 25362->25364 25363->25359 25364->25363 25365 bfafc0 GetModuleHandleW 25364->25365 25366 bfafed 25365->25366 25366->25359 25368 bfad99 25367->25368 25369 bfadbc 25367->25369 25368->25369 25370 bfafc0 GetModuleHandleW 25368->25370 25369->25359 25371 bfafed 25370->25371 25371->25359

                                            Executed Functions

                                            Function 069CF2F8 Relevance: .6, Instructions: 641COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 471e5741156c9ff531c85886e9afc437c6c8b4005d02bc630849c5b2d3fd8e8b
                                            • Instruction ID: 45b135c1e4db9426f470d2c683d0181de94b2b89d4f38d7e695e2e1102d5b162
                                            • Opcode Fuzzy Hash: 471e5741156c9ff531c85886e9afc437c6c8b4005d02bc630849c5b2d3fd8e8b
                                            • Instruction Fuzzy Hash: 2C32AC70B016089FDB59DB69C550BAEB7FBAF88710F2444ADE1069B7A1CB30ED05CB52
                                            Function 069CBE55 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 480 69cbe55-69cbef5 483 69cbf2e-69cbf4e 480->483 484 69cbef7-69cbf01 480->484 491 69cbf87-69cbfb6 483->491 492 69cbf50-69cbf5a 483->492 484->483 485 69cbf03-69cbf05 484->485 486 69cbf28-69cbf2b 485->486 487 69cbf07-69cbf11 485->487 486->483 489 69cbf15-69cbf24 487->489 490 69cbf13 487->490 489->489 493 69cbf26 489->493 490->489 500 69cbfef-69cc0a9 CreateProcessA 491->500 501 69cbfb8-69cbfc2 491->501 492->491 494 69cbf5c-69cbf5e 492->494 493->486 495 69cbf60-69cbf6a 494->495 496 69cbf81-69cbf84 494->496 498 69cbf6c 495->498 499 69cbf6e-69cbf7d 495->499 496->491 498->499 499->499 502 69cbf7f 499->502 512 69cc0ab-69cc0b1 500->512 513 69cc0b2-69cc138 500->513 501->500 503 69cbfc4-69cbfc6 501->503 502->496 505 69cbfc8-69cbfd2 503->505 506 69cbfe9-69cbfec 503->506 507 69cbfd4 505->507 508 69cbfd6-69cbfe5 505->508 506->500 507->508 508->508 510 69cbfe7 508->510 510->506 512->513 523 69cc148-69cc14c 513->523 524 69cc13a-69cc13e 513->524 526 69cc15c-69cc160 523->526 527 69cc14e-69cc152 523->527 524->523 525 69cc140 524->525 525->523 529 69cc170-69cc174 526->529 530 69cc162-69cc166 526->530 527->526 528 69cc154 527->528 528->526 531 69cc186-69cc18d 529->531 532 69cc176-69cc17c 529->532 530->529 533 69cc168 530->533 534 69cc18f-69cc19e 531->534 535 69cc1a4 531->535 532->531 533->529 534->535 537 69cc1a5 535->537 537->537
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069CC096
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 1e7e50594565cb0896fc8a06514c753c3f56b6d13483df3dd2480fa6b3d6c71d
                                            • Instruction ID: ae4a497bd7bdb26fc94b569d1287c223e0cf1d2a8d12bf421c4f07757dd2cf20
                                            • Opcode Fuzzy Hash: 1e7e50594565cb0896fc8a06514c753c3f56b6d13483df3dd2480fa6b3d6c71d
                                            • Instruction Fuzzy Hash: 87A1AD71D00219DFEB60DF69C841BEDBBB6BF48310F1485AAE808A7244DB749985CF92
                                            Function 069CBE60 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 538 69cbe60-69cbef5 540 69cbf2e-69cbf4e 538->540 541 69cbef7-69cbf01 538->541 548 69cbf87-69cbfb6 540->548 549 69cbf50-69cbf5a 540->549 541->540 542 69cbf03-69cbf05 541->542 543 69cbf28-69cbf2b 542->543 544 69cbf07-69cbf11 542->544 543->540 546 69cbf15-69cbf24 544->546 547 69cbf13 544->547 546->546 550 69cbf26 546->550 547->546 557 69cbfef-69cc0a9 CreateProcessA 548->557 558 69cbfb8-69cbfc2 548->558 549->548 551 69cbf5c-69cbf5e 549->551 550->543 552 69cbf60-69cbf6a 551->552 553 69cbf81-69cbf84 551->553 555 69cbf6c 552->555 556 69cbf6e-69cbf7d 552->556 553->548 555->556 556->556 559 69cbf7f 556->559 569 69cc0ab-69cc0b1 557->569 570 69cc0b2-69cc138 557->570 558->557 560 69cbfc4-69cbfc6 558->560 559->553 562 69cbfc8-69cbfd2 560->562 563 69cbfe9-69cbfec 560->563 564 69cbfd4 562->564 565 69cbfd6-69cbfe5 562->565 563->557 564->565 565->565 567 69cbfe7 565->567 567->563 569->570 580 69cc148-69cc14c 570->580 581 69cc13a-69cc13e 570->581 583 69cc15c-69cc160 580->583 584 69cc14e-69cc152 580->584 581->580 582 69cc140 581->582 582->580 586 69cc170-69cc174 583->586 587 69cc162-69cc166 583->587 584->583 585 69cc154 584->585 585->583 588 69cc186-69cc18d 586->588 589 69cc176-69cc17c 586->589 587->586 590 69cc168 587->590 591 69cc18f-69cc19e 588->591 592 69cc1a4 588->592 589->588 590->586 591->592 594 69cc1a5 592->594 594->594
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069CC096
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: be703a306e542162d2900afb2a80bdde405d97ce5ff7f5b46cb6c7a6261b3dfd
                                            • Instruction ID: b72a807202afcc484b45b444dac772cbb49c9ee02235457274a3a17396d64e5c
                                            • Opcode Fuzzy Hash: be703a306e542162d2900afb2a80bdde405d97ce5ff7f5b46cb6c7a6261b3dfd
                                            • Instruction Fuzzy Hash: D391AD71D00219DFEF60DF69C841BEDBBB2BF48310F14856AE808A7244DB749985CF92
                                            Function 00BFAD88 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 595 bfad88-bfad97 596 bfad99-bfada6 call bfa0e0 595->596 597 bfadc3-bfadc7 595->597 602 bfadbc 596->602 603 bfada8 596->603 599 bfaddb-bfae1c 597->599 600 bfadc9-bfadd3 597->600 606 bfae1e-bfae26 599->606 607 bfae29-bfae37 599->607 600->599 602->597 650 bfadae call bfb020 603->650 651 bfadae call bfb010 603->651 606->607 608 bfae5b-bfae5d 607->608 609 bfae39-bfae3e 607->609 614 bfae60-bfae67 608->614 611 bfae49 609->611 612 bfae40-bfae47 call bfa0ec 609->612 610 bfadb4-bfadb6 610->602 613 bfaef8-bfafb8 610->613 616 bfae4b-bfae59 611->616 612->616 645 bfafba-bfafbd 613->645 646 bfafc0-bfafeb GetModuleHandleW 613->646 617 bfae69-bfae71 614->617 618 bfae74-bfae7b 614->618 616->614 617->618 620 bfae7d-bfae85 618->620 621 bfae88-bfae91 call bfa0fc 618->621 620->621 626 bfae9e-bfaea3 621->626 627 bfae93-bfae9b 621->627 628 bfaea5-bfaeac 626->628 629 bfaec1-bfaece 626->629 627->626 628->629 631 bfaeae-bfaebe call bfa10c call bfa11c 628->631 636 bfaef1-bfaef7 629->636 637 bfaed0-bfaeee 629->637 631->629 637->636 645->646 647 bfafed-bfaff3 646->647 648 bfaff4-bfb008 646->648 647->648 650->610 651->610
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00BFAFDE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 18c9853f39160d9b4434cc1f68107f0577ca9105bd8158e73fe660af15f6057c
                                            • Instruction ID: daf4bb6d1c9f25fce5992652e64ac7c513f1712b2fd337c6c19b415bcc7d2132
                                            • Opcode Fuzzy Hash: 18c9853f39160d9b4434cc1f68107f0577ca9105bd8158e73fe660af15f6057c
                                            • Instruction Fuzzy Hash: C57157B0A00B098FD728DF29D48176ABBF5FF88304F10896DD58AD7A50DB34E949CB91
                                            Function 00BF590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 652 bf590c-bf5916 653 bf5918-bf59d9 CreateActCtxA 652->653 655 bf59db-bf59e1 653->655 656 bf59e2-bf5a3c 653->656 655->656 663 bf5a3e-bf5a41 656->663 664 bf5a4b-bf5a4f 656->664 663->664 665 bf5a51-bf5a5d 664->665 666 bf5a60 664->666 665->666 668 bf5a61 666->668 668->668
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00BF59C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: bcfd84d6d906e674449d8d3d8b91a4e757f5057376596a0b29154139c4efdc1e
                                            • Instruction ID: c70e9aacfa90c4338aaa61c783f344dff9f8b4980223af0cdbd97f7cca1e684f
                                            • Opcode Fuzzy Hash: bcfd84d6d906e674449d8d3d8b91a4e757f5057376596a0b29154139c4efdc1e
                                            • Instruction Fuzzy Hash: 4141E2B0C0061DCBDB24DFA9C88469DBBF5FF44704F20806AD508AB255DB75694ACF90
                                            Function 00BF44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 669 bf44b4-bf59d9 CreateActCtxA 672 bf59db-bf59e1 669->672 673 bf59e2-bf5a3c 669->673 672->673 680 bf5a3e-bf5a41 673->680 681 bf5a4b-bf5a4f 673->681 680->681 682 bf5a51-bf5a5d 681->682 683 bf5a60 681->683 682->683 685 bf5a61 683->685 685->685
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00BF59C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 77132e4e5f80d809c1332340dc812eed31a0eca3c259b9335ad546f4a227fdc6
                                            • Instruction ID: e73d8764c2f0f3540d16893b88a7727ac01d618562a7abec3c63c683146c15d2
                                            • Opcode Fuzzy Hash: 77132e4e5f80d809c1332340dc812eed31a0eca3c259b9335ad546f4a227fdc6
                                            • Instruction Fuzzy Hash: F841D1B0C00A1DCBDB24DFA9C884B9DBBF5FF49704F20816AD508AB255DB75694ACF90
                                            Function 069CBBD1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 686 69cbbd1-69cbc26 689 69cbc28-69cbc34 686->689 690 69cbc36-69cbc75 WriteProcessMemory 686->690 689->690 692 69cbc7e-69cbcae 690->692 693 69cbc77-69cbc7d 690->693 693->692
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069CBC68
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: d60a146f1360477f2b8bf5d83026efe08239f7699594757a6d16aa054ad0173b
                                            • Instruction ID: 7f7d41991c3af8bca3e18e0ecac098ae25b86a4a24178b75a28153a2684da17c
                                            • Opcode Fuzzy Hash: d60a146f1360477f2b8bf5d83026efe08239f7699594757a6d16aa054ad0173b
                                            • Instruction Fuzzy Hash: 782148B1D003499FCB10CFA9C885BEEBBF5FF48310F10842AE919A7240CB789944CBA1
                                            Function 069CBBD8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 697 69cbbd8-69cbc26 699 69cbc28-69cbc34 697->699 700 69cbc36-69cbc75 WriteProcessMemory 697->700 699->700 702 69cbc7e-69cbcae 700->702 703 69cbc77-69cbc7d 700->703 703->702
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069CBC68
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 546d5b0d4a4fd8d5f4c0430000b02ecaa6ab38e6a9249038508e4124c0884e1a
                                            • Instruction ID: 93e58f5557b47d3c6f0d29ca8631abe86e5496c91e7eb848d3b3e05cefd9b278
                                            • Opcode Fuzzy Hash: 546d5b0d4a4fd8d5f4c0430000b02ecaa6ab38e6a9249038508e4124c0884e1a
                                            • Instruction Fuzzy Hash: 9F2128B19003499FCB10DFA9C985BDEBBF5FF48310F508429E519A7240C7789944CBA1
                                            Function 00BFD658 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 707 bfd658-bfd6f4 DuplicateHandle 708 bfd6fd-bfd71a 707->708 709 bfd6f6-bfd6fc 707->709 709->708
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BFD626,?,?,?,?,?), ref: 00BFD6E7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 46e1956be1ec2e7c89bfbe871e0eee1553e6015b320f0d9439e94c129dabc5f2
                                            • Instruction ID: b28e0b39d4ebc477182e6205a434a5f931a43c3b945827c4ccd8654c788e82f9
                                            • Opcode Fuzzy Hash: 46e1956be1ec2e7c89bfbe871e0eee1553e6015b320f0d9439e94c129dabc5f2
                                            • Instruction Fuzzy Hash: E221E4B5900249AFDB10CFAAD585AEEBFF5FB48310F14805AE918A3350D378A945CFA5
                                            Function 069CBCC0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069CBD48
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 078d7a42ebc57c4a6375af627a3683ba652a465a72f1ea0b2f9e33c9fe6c21f3
                                            • Instruction ID: 50d30f57b6257eeabf5e57c39af039058fda3b3ad6377c449b4e95b3899ab87d
                                            • Opcode Fuzzy Hash: 078d7a42ebc57c4a6375af627a3683ba652a465a72f1ea0b2f9e33c9fe6c21f3
                                            • Instruction Fuzzy Hash: 1A212AB1C003499FCB10DFAAC881AEEFBF5FF48310F50842AE519A7250C7389945DBA1
                                            Function 069CBA39 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069CBABE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 059d4dc0ee09408a538ec8e6473a15252c30d7d5858554838ffb0f397f3e02f6
                                            • Instruction ID: 4becdf8497fb72f38a4c2b8fc4b7005da4e800e75fd699ef11ef298a1ac7b5d1
                                            • Opcode Fuzzy Hash: 059d4dc0ee09408a538ec8e6473a15252c30d7d5858554838ffb0f397f3e02f6
                                            • Instruction Fuzzy Hash: 0C213771D003099FDB10DFAAC4857EEBBF8EF88324F14842AD459A7240CB789945CBA1
                                            Function 00BFB770 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BFD626,?,?,?,?,?), ref: 00BFD6E7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 8d3d83aec6dac28b803032fde361e64c03ec0ed3f13fe4f8da4c94df3a08ebe9
                                            • Instruction ID: c0aee86a2f2e614fad0e9b4341f465a3790fa9ee874ab112aceeb5d137045d0c
                                            • Opcode Fuzzy Hash: 8d3d83aec6dac28b803032fde361e64c03ec0ed3f13fe4f8da4c94df3a08ebe9
                                            • Instruction Fuzzy Hash: C621E3B590024CAFDB10CF9AD584AEEBBF9FB48310F14805AE918A7310D378A944CFA5
                                            Function 069CBCC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069CBD48
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 1877feb47846bf90bcf9d0cb6898f98600574dd8365265046bcdf14431234d10
                                            • Instruction ID: c412824d9b4f6230a1fd1e76fbde24655b8257bcb90feae245537181e994c069
                                            • Opcode Fuzzy Hash: 1877feb47846bf90bcf9d0cb6898f98600574dd8365265046bcdf14431234d10
                                            • Instruction Fuzzy Hash: 342107B1D003499FDB10DFAAC885AEEFBF5FF48320F50842AE519A7250C7799945CBA1
                                            Function 069CBA40 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069CBABE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 251580bcbe7267501c0964d953ce516e9807e3c22e3bec714210753599690f85
                                            • Instruction ID: ed4a5f9b6b48739b62410a88e7c0c8f68ac8a0fde6ce91f2954cb81aeb1267b6
                                            • Opcode Fuzzy Hash: 251580bcbe7267501c0964d953ce516e9807e3c22e3bec714210753599690f85
                                            • Instruction Fuzzy Hash: AB211871D003098FDB10DFAAC4857EEBBF8EF88324F54842AD559A7240CB789945CFA1
                                            Function 069CBB11 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069CBB86
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: a6d2f4b3eff2ec1371a2d972dc393effc7382d032e6ad6ea61918ef32fe289ab
                                            • Instruction ID: c96b89b719e227713d93fb1bbe29bbd2fe50caeacabb95a5da5397f520003055
                                            • Opcode Fuzzy Hash: a6d2f4b3eff2ec1371a2d972dc393effc7382d032e6ad6ea61918ef32fe289ab
                                            • Instruction Fuzzy Hash: D31159B1C003489FCB10DFAAC845AEEBFF5EF48320F108419E519A7250CB79A940CBA1
                                            Function 069CBB18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069CBB86
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 33237f2351526f9a0dc2cbc007a964ab71259c4d9b072c26459ee72933d16127
                                            • Instruction ID: cdbf3443d3095147112aacd194e73128e3b0ac5cf7cb65f7bab365b28390b543
                                            • Opcode Fuzzy Hash: 33237f2351526f9a0dc2cbc007a964ab71259c4d9b072c26459ee72933d16127
                                            • Instruction Fuzzy Hash: B4113771D002499FDB10DFAAC845AEEBFF5EF48320F208419E519A7254CB79A940CFA1
                                            Function 069CB98B Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 495d074079cf82c46cce9f4ec7806c9661886f67f909994744edefe681a8015e
                                            • Instruction ID: ce6b72de6920e77c958b20928954bd91358d54cae2a8692e2b462adfbee4b517
                                            • Opcode Fuzzy Hash: 495d074079cf82c46cce9f4ec7806c9661886f67f909994744edefe681a8015e
                                            • Instruction Fuzzy Hash: 3E1158B5D002488ECB20DFAAC5457EEFFF5AF88324F24841AC559A7240CB38A940CBA5
                                            Function 069CB990 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: f3765f80cc4b7ce4f0c782f6ff1f6a8cad61b561495e71d95af495bf2794679e
                                            • Instruction ID: 775ff53b6cab81461e7329d04f2391df497a6877f34383116d8cd3ae2a60994c
                                            • Opcode Fuzzy Hash: f3765f80cc4b7ce4f0c782f6ff1f6a8cad61b561495e71d95af495bf2794679e
                                            • Instruction Fuzzy Hash: 97113AB1D003488FDB20DFAAC4457EEFBF9EF88324F208419D519A7240CB79A944CBA5
                                            Function 069CE630 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 069CE695
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 346f821ca6b72f42ad02963bd3460adbafea7166abd2349d33ba9aa360b1c7d3
                                            • Instruction ID: 280bc80cf2567c44cf675157ac5e6cbf1d84564d3d951e492fa7e9a50f12720f
                                            • Opcode Fuzzy Hash: 346f821ca6b72f42ad02963bd3460adbafea7166abd2349d33ba9aa360b1c7d3
                                            • Instruction Fuzzy Hash: 8A11E3B58003489FDB10DF9AD985BDEBFF8EB49320F10841AE959A3610C379A944CFA5
                                            Function 00BFAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00BFAFDE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9bae41217c25795a12a8f75e62d9add6b61ac57fd5b8181d75b2fb58c95a7dc7
                                            • Instruction ID: 22b9714281ed841e9057f54cc9b327d921b07c600efbef6e97ffaf385cd66de7
                                            • Opcode Fuzzy Hash: 9bae41217c25795a12a8f75e62d9add6b61ac57fd5b8181d75b2fb58c95a7dc7
                                            • Instruction Fuzzy Hash: 4F11E0B6C002498FDB14DF9AC444ADEFBF8EF88314F10845AD529B7610C379A945CFA1
                                            Function 069C87D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 069CE695
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: a1fa2844613fa4eb1dd47d01d8c4ce322450db44c9278268777a77a86ae78438
                                            • Instruction ID: acadbcd9a65b2527d4cf231f668b4274837263f9be30a2c4d426ff6fcb744d2e
                                            • Opcode Fuzzy Hash: a1fa2844613fa4eb1dd47d01d8c4ce322450db44c9278268777a77a86ae78438
                                            • Instruction Fuzzy Hash: 8911F2B58007489FDB50DF9AC984BDEBBF8EB48320F10841AE519A7600C379A944CFA5
                                            Function 00B3D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039515623.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b3d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e9c4f5c80cfd99a77796c7da8808bc26ccb34bfb26a0458fea695ef5ee3513f
                                            • Instruction ID: ef6b6554c6be0b40ad0c4c328edc092eedb135389d4e1740492679b0689cca26
                                            • Opcode Fuzzy Hash: 0e9c4f5c80cfd99a77796c7da8808bc26ccb34bfb26a0458fea695ef5ee3513f
                                            • Instruction Fuzzy Hash: 4E21D675504204DFDB05DF14E9C0B16BFA5FB98314F34C5A9D9090B356C33AE856D7A2
                                            Function 00B4D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039618442.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b4d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 525b8037c429af99d0d523ed0639f46748744081c805112a581d991134484c33
                                            • Instruction ID: c3476bc7b9195a8175f0a3fcd3ae0b1706f871d0249ee9923b91751f25440c27
                                            • Opcode Fuzzy Hash: 525b8037c429af99d0d523ed0639f46748744081c805112a581d991134484c33
                                            • Instruction Fuzzy Hash: A9210771604204EFDB05DF14D5C0F26BBE5FB84314F20C6ADE9494B356C3BAD906EA61
                                            Function 00B4D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039618442.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b4d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eb037e002bcdd81699db290420c5b6263794be83ff631047af738dc8b157aa46
                                            • Instruction ID: 3019bb8f5e572b56c2fa4d7dee93dbd8375d6e6ef9be1457cefc49c3edf0ed68
                                            • Opcode Fuzzy Hash: eb037e002bcdd81699db290420c5b6263794be83ff631047af738dc8b157aa46
                                            • Instruction Fuzzy Hash: CE21F271604204DFCB14DF24D9D4B26BFA5FB88314F20C5ADD90A4B396C33AD907EA61
                                            Function 00B4D006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039618442.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b4d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d6a1f496babe06820b68e078bc0ed13f04cd103ea4080c7aeaa2b9a234fd8c6
                                            • Instruction ID: ce800401acfd3ebaec450fbcb2d4525e133772eaf4aa14fd3d700e1110987cbe
                                            • Opcode Fuzzy Hash: 4d6a1f496babe06820b68e078bc0ed13f04cd103ea4080c7aeaa2b9a234fd8c6
                                            • Instruction Fuzzy Hash: 292192755083809FCB02CF14D994B11BFB1FB46314F28C5DAD8498F2A7C33A990ADB62
                                            Function 00B3D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039515623.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b3d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: 5e3411505ce1f7722ca892bbef61f7d5a467f8b36aee67eba12626d180513224
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: 4911E176504240CFCB02CF10E5C4B16BFB1FB94324F24C6A9D9490B356C33AE85ACBA2
                                            Function 00B4D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039618442.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b4d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 5b9aa17b6c27ae2dd181818cea6a9fd8ef703097adb7b72b7afa231697c19ee2
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 8F11BB75504280DFCB02CF10C5C4B15BBA1FB84314F24C6A9D8494B296C37AD80ADB62
                                            Function 00B3D759 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039515623.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b3d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4928cb734ba9984eddad68a372bc8f13d0d6102caf1abe10c85730f7db3907fd
                                            • Instruction ID: d82b36343981e8a8a6c81f7e2fcfde60d3acf5a1603e3a77dfc98ed298d8d354
                                            • Opcode Fuzzy Hash: 4928cb734ba9984eddad68a372bc8f13d0d6102caf1abe10c85730f7db3907fd
                                            • Instruction Fuzzy Hash: 4B01A771104344DAD7218B15EDC4B66BFDCEF55320F38C9AAED094A286C6799C40C671
                                            Function 00B3D758 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2039515623.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b3d000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c03d2536e46124ccf3d6b0dd00577b2edbba331e677aa9ad0f596d40edee8b24
                                            • Instruction ID: ff1bcb25b6dcf6607defd4962ec9276651e445e8798b86c765078f2decd65241
                                            • Opcode Fuzzy Hash: c03d2536e46124ccf3d6b0dd00577b2edbba331e677aa9ad0f596d40edee8b24
                                            • Instruction Fuzzy Hash: 97F06271404344EEE7208A16DC84B62FFE8EF55724F28C55AED484B386C2799C44CAB1

                                            Non-executed Functions

                                            Function 069C9658 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 649fe3e5bc8ac6dda7c82ba7042cf1c630cd7333855103c109d16e7479d376c7
                                            • Instruction ID: 1fafa7f0def0e2fab6921a465d477475f71b285e782153830e6565bad3e78658
                                            • Opcode Fuzzy Hash: 649fe3e5bc8ac6dda7c82ba7042cf1c630cd7333855103c109d16e7479d376c7
                                            • Instruction Fuzzy Hash: 1CE11774E001198FCB54DFA9C5809AEFBB2BF89355F24C169D409AB356D730AD42CFA1
                                            Function 069C9220 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20ec6f25e069916c6dade1ca301bd793e78a3b0971fcc8dfca5576ba0f14a5df
                                            • Instruction ID: 084dbaa45fe4ab7f85895f5c6cc0bf0b4b9db4c04f15531698d0a119cc67da0f
                                            • Opcode Fuzzy Hash: 20ec6f25e069916c6dade1ca301bd793e78a3b0971fcc8dfca5576ba0f14a5df
                                            • Instruction Fuzzy Hash: DBE10A74E001198FCB54DFA8C5809AEFBB2FF89315F24C169D418AB396D731A942CFA1
                                            Function 069CB168 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7da9aa4960f6252de5da5a10393f5a52cc9eea564c60ab3fcea57c9ca5842dc5
                                            • Instruction ID: dafc68856955f9a02233e2bdd4e1f012c1f3b47582f63be90b6dffc3a2761eca
                                            • Opcode Fuzzy Hash: 7da9aa4960f6252de5da5a10393f5a52cc9eea564c60ab3fcea57c9ca5842dc5
                                            • Instruction Fuzzy Hash: 53E11874E00119CFCB54DFA9C5819AEFBB2FF89315F248169D408AB35AD731A942CFA1
                                            Function 069CAD30 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76e0da67e3c1a9a7ed6012024c465228bd2b8286caf130cbc01450249c17fe11
                                            • Instruction ID: 4e83e3e4327c06cd1142ba14abd6ed0d03f49268ba863d04e15044ea8e1a7842
                                            • Opcode Fuzzy Hash: 76e0da67e3c1a9a7ed6012024c465228bd2b8286caf130cbc01450249c17fe11
                                            • Instruction Fuzzy Hash: E3E10874E001198FCB54DFA9C5809AEFBB2FF89315F64C169D418AB35AD730A942CFA1
                                            Function 069C9A90 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71f7b178a479660d99e7b150d722f07c7a4a6074c0462a528c1c954e835d0450
                                            • Instruction ID: 22b59f848e08679928a574e30928c5418d02c9d75c3d22d5d100510ff5cc699b
                                            • Opcode Fuzzy Hash: 71f7b178a479660d99e7b150d722f07c7a4a6074c0462a528c1c954e835d0450
                                            • Instruction Fuzzy Hash: 4BE11774E001198FCB54DFA8C5809AEFBF2BF89315F24C16AD409AB356D731A942CF61
                                            Function 069C0559 Relevance: .3, Instructions: 269COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6640a0b82e36c573282d19369e1f5ab0c73b4a603f8aecad999452eeddc51cf1
                                            • Instruction ID: 265675dc9acacc454ae3d5cfb132322ccc7627d00c55ea1eb4022d9c9ac44591
                                            • Opcode Fuzzy Hash: 6640a0b82e36c573282d19369e1f5ab0c73b4a603f8aecad999452eeddc51cf1
                                            • Instruction Fuzzy Hash: 40D11735C1065ACACB51EF64D990A9DF3B5EF95300F20C79AD50A77224FB70AAC9CB81
                                            Function 00BFD344 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2040029296.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_bf0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b83be8fab411fe845529607daeec5acc556b3b77380ee509986e816f92a90fef
                                            • Instruction ID: 97f1be976219c2fdf54944756ebb63b4418ca395b989f16f2ddfa91caea3e53f
                                            • Opcode Fuzzy Hash: b83be8fab411fe845529607daeec5acc556b3b77380ee509986e816f92a90fef
                                            • Instruction Fuzzy Hash: 7FA12D32A1020A8FCF15DFB5C8445BEB7F2FF85300B1545BAE905AB265DB71E95ACB40
                                            Function 069C0560 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b58ce16a1b086a30c563d44935ad3d009b348e06a00df4b02a9896b74b39eb24
                                            • Instruction ID: 2c38c600d61a21df7961351a97fdae6adaf5bfcc8dc326e8e26909b3bd68c379
                                            • Opcode Fuzzy Hash: b58ce16a1b086a30c563d44935ad3d009b348e06a00df4b02a9896b74b39eb24
                                            • Instruction Fuzzy Hash: E3D10735C1065ACACB51EF64D990A9DF3B5EF95300F20C79AD50A77224FB70AAC9CB81
                                            Function 069C9200 Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2059478043.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_69c0000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2488bb3ff38757cab8639e482bb905ad94310f49e7e5690619d4445c2293aa8
                                            • Instruction ID: fa0cce6382fcec6be8be176df0d71229bf2477a8b3db3aaf58a7aa024472acb5
                                            • Opcode Fuzzy Hash: b2488bb3ff38757cab8639e482bb905ad94310f49e7e5690619d4445c2293aa8
                                            • Instruction Fuzzy Hash: 7B512C74E042198FCB14CFA9C9809AEFBF2BF89315F24C16AD408A7356D7319942CFA1

                                            Execution Graph

                                            Execution Coverage:12.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:82
                                            Total number of Limit Nodes:4
                                            execution_graph 37902 6422770 37903 64227b4 SetWindowsHookExA 37902->37903 37905 64227fa 37903->37905 37906 644e310 37907 644e356 GlobalMemoryStatusEx 37906->37907 37908 644e386 37907->37908 37909 64266d8 DuplicateHandle 37910 642676e 37909->37910 37911 1570848 37913 157084e 37911->37913 37912 157091b 37913->37912 37916 6425378 37913->37916 37920 6425388 37913->37920 37917 6425388 37916->37917 37924 6424af4 37917->37924 37921 6425397 37920->37921 37922 6424af4 3 API calls 37921->37922 37923 64253b8 37922->37923 37923->37913 37925 6424aff 37924->37925 37928 6426264 37925->37928 37927 6426d3e 37927->37927 37929 642626f 37928->37929 37930 6427464 37929->37930 37933 64290d7 37929->37933 37938 64290e8 37929->37938 37930->37927 37934 64290e8 37933->37934 37935 642912d 37934->37935 37943 6429288 37934->37943 37947 6429298 37934->37947 37935->37930 37939 6429109 37938->37939 37940 642912d 37939->37940 37941 6429288 3 API calls 37939->37941 37942 6429298 3 API calls 37939->37942 37940->37930 37941->37940 37942->37940 37944 6429298 37943->37944 37945 64292de 37944->37945 37951 6427224 37944->37951 37945->37935 37948 64292a5 37947->37948 37949 64292de 37948->37949 37950 6427224 3 API calls 37948->37950 37949->37935 37950->37949 37952 642722f 37951->37952 37953 6429350 37952->37953 37955 6427234 37952->37955 37956 642723f 37955->37956 37962 642846c 37956->37962 37958 64293bf 37966 642e6d8 37958->37966 37972 642e6c0 37958->37972 37959 64293f9 37959->37953 37965 6428477 37962->37965 37963 642a648 37963->37958 37964 64290e8 3 API calls 37964->37963 37965->37963 37965->37964 37968 642e755 37966->37968 37969 642e709 37966->37969 37967 642e715 37967->37959 37968->37959 37969->37967 37977 642e940 37969->37977 37981 642e950 37969->37981 37974 642e6d8 37972->37974 37973 642e715 37973->37959 37974->37973 37975 642e940 3 API calls 37974->37975 37976 642e950 3 API calls 37974->37976 37975->37973 37976->37973 37985 642e990 37977->37985 37994 642e9a0 37977->37994 37978 642e95a 37978->37968 37982 642e95a 37981->37982 37983 642e990 2 API calls 37981->37983 37984 642e9a0 2 API calls 37981->37984 37982->37968 37983->37982 37984->37982 37986 642e99a 37985->37986 37989 642e9d4 37985->37989 37987 642de84 GetModuleHandleW 37986->37987 37986->37989 37988 642e9bc 37987->37988 37988->37989 37993 642ec28 GetModuleHandleW 37988->37993 37989->37978 37990 642e9cc 37990->37989 37991 642ebd8 GetModuleHandleW 37990->37991 37992 642ec05 37991->37992 37992->37978 37993->37990 37995 642e9b1 37994->37995 37998 642e9d4 37994->37998 37996 642de84 GetModuleHandleW 37995->37996 37997 642e9bc 37996->37997 37997->37998 38002 642ec28 GetModuleHandleW 37997->38002 37998->37978 37999 642e9cc 37999->37998 38000 642ebd8 GetModuleHandleW 37999->38000 38001 642ec05 38000->38001 38001->37978 38002->37999

                                            Executed Functions

                                            Function 01579B40 Relevance: 2.8, Instructions: 2820COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1bc00b95c1ab9a8c9a1fb226f9d86ba3ba63dfea5382b9d1fbe9349f2425f09f
                                            • Instruction ID: 3626f1cf99d621387477d5cdeb3494f53e068cb6144822b89e82d2e190a8ba6e
                                            • Opcode Fuzzy Hash: 1bc00b95c1ab9a8c9a1fb226f9d86ba3ba63dfea5382b9d1fbe9349f2425f09f
                                            • Instruction Fuzzy Hash: C353E631D10B1A8ADB51EF68C8805ADF7B1FF99300F15C79AE4587B121EB70AAD5CB81
                                            Function 0157CDC0 Relevance: 2.3, Instructions: 2308COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d62baf77c14b10428d7ceac7f69c3a045abf2a95790b738a941a3e829f573eee
                                            • Instruction ID: 7c50e06f7aa0c86888f0b4cecd9409bb657945bcc8fe33867a6024b20401d623
                                            • Opcode Fuzzy Hash: d62baf77c14b10428d7ceac7f69c3a045abf2a95790b738a941a3e829f573eee
                                            • Instruction Fuzzy Hash: C2332F31D1071A8EDB11EF68C8846ADF7B1FF99300F15C79AD459AB211EB70AAC5CB81
                                            Function 01573E70 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VBm
                                            • API String ID: 0-971115878
                                            • Opcode ID: 68d1b5156e77242f39cbc2116e0c182fcda05a8dea665473a254b29dc1afd389
                                            • Instruction ID: d11058f31ed09def042ee5137dc2df6979aeba22b92e6ff478f600e4d0d052ef
                                            • Opcode Fuzzy Hash: 68d1b5156e77242f39cbc2116e0c182fcda05a8dea665473a254b29dc1afd389
                                            • Instruction Fuzzy Hash: 30918F70E00209DFDF10DFA9E9827EDBBF2BF88314F148129E415AB294EB749845CB81
                                            Function 0157F4A8 Relevance: .7, Instructions: 687COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 662d9da61b417ff46107c9b805f9c4145684a1cb1263e927eaf9a399e55e189a
                                            • Instruction ID: 81cba01af2c882f15cafca2b207442ddf2ee3324fe6e95603a6d66a8ee2a3b8b
                                            • Opcode Fuzzy Hash: 662d9da61b417ff46107c9b805f9c4145684a1cb1263e927eaf9a399e55e189a
                                            • Instruction Fuzzy Hash: 4C524834A002058FDB25DB68D585AADBBF2FF48314F54846AD429EF356DB34EC82CB91
                                            Function 01574A88 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 277937a98d51f1b4be347a446519db5d87a3b61fbd879704a2642f1f629fe0f1
                                            • Instruction ID: 2343d2ba141e215ae10175a423216b10280f195d3490a9bbc8b8bb1f8b22a475
                                            • Opcode Fuzzy Hash: 277937a98d51f1b4be347a446519db5d87a3b61fbd879704a2642f1f629fe0f1
                                            • Instruction Fuzzy Hash: BFB16F70E00209CFDF14CFA9E9867ADBBF6BF88314F148529D419EB294EB749845CB81
                                            Function 0157FC38 Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1789 157fc38-157fc46 1790 157fc47-157fc57 1789->1790 1791 157fe12-157fe36 1790->1791 1792 157fc5d-157fc66 1790->1792 1795 157fe3d-157fed6 1791->1795 1792->1795 1796 157fc6c-157fc75 1792->1796 1850 157fed8 call 6420140 1795->1850 1851 157fed8 call 6420138 1795->1851 1796->1790 1800 157fc77-157fcc1 1796->1800 1808 157fcc3-157fce8 1800->1808 1809 157fceb-157fcf4 1800->1809 1808->1809 1810 157fcf6 1809->1810 1811 157fcf9-157fd09 1809->1811 1810->1811 1847 157fd0b call 157f4a8 1811->1847 1848 157fd0b call 157fc38 1811->1848 1849 157fd0b call 157fe18 1811->1849 1814 157fd11-157fd13 1817 157fd15-157fd1a 1814->1817 1818 157fd6d-157fdba 1814->1818 1819 157fd53-157fd66 1817->1819 1820 157fd1c-157fd51 1817->1820 1831 157fdc1-157fdc6 1818->1831 1819->1818 1820->1831 1833 157fdd0-157fdd5 1831->1833 1834 157fdc8 1831->1834 1832 157fedd-157fee2 1835 157fdd7 1833->1835 1836 157fddf-157fde4 1833->1836 1834->1833 1835->1836 1839 157fde6-157fdf1 1836->1839 1840 157fdf9-157fdfa 1836->1840 1839->1840 1840->1791 1847->1814 1848->1814 1849->1814 1850->1832 1851->1832
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (&]q$(aq
                                            • API String ID: 0-1602648543
                                            • Opcode ID: f28f673f37eea5d06b0fddfd1349ccf6bd3033e77c4fa98578da90acd36931e1
                                            • Instruction ID: 99ccf0aa7357f68c17b62f1a33df91a6f7366979462db0126b226c31ba03bc68
                                            • Opcode Fuzzy Hash: f28f673f37eea5d06b0fddfd1349ccf6bd3033e77c4fa98578da90acd36931e1
                                            • Instruction Fuzzy Hash: 5471A231F002199BDB59DFB9D8506AEBBB6BFC4700F14852AD416AB380DF309D06C7A1
                                            Function 01574800 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1852 1574800-157488c 1855 15748d6-15748d8 1852->1855 1856 157488e-1574899 1852->1856 1858 15748da-15748f2 1855->1858 1856->1855 1857 157489b-15748a7 1856->1857 1859 15748ca-15748d4 1857->1859 1860 15748a9-15748b3 1857->1860 1864 15748f4-15748ff 1858->1864 1865 157493c-157493e 1858->1865 1859->1858 1862 15748b7-15748c6 1860->1862 1863 15748b5 1860->1863 1862->1862 1866 15748c8 1862->1866 1863->1862 1864->1865 1868 1574901-157490d 1864->1868 1867 1574940-1574999 1865->1867 1866->1859 1877 15749a2-15749c2 1867->1877 1878 157499b-15749a1 1867->1878 1869 1574930-157493a 1868->1869 1870 157490f-1574919 1868->1870 1869->1867 1871 157491d-157492c 1870->1871 1872 157491b 1870->1872 1871->1871 1874 157492e 1871->1874 1872->1871 1874->1869 1882 15749cc-15749ff 1877->1882 1878->1877 1885 1574a01-1574a05 1882->1885 1886 1574a0f-1574a13 1882->1886 1885->1886 1887 1574a07-1574a0a call 1570ab8 1885->1887 1888 1574a15-1574a19 1886->1888 1889 1574a23-1574a27 1886->1889 1887->1886 1888->1889 1891 1574a1b-1574a1e call 1570ab8 1888->1891 1892 1574a37-1574a3b 1889->1892 1893 1574a29-1574a2d 1889->1893 1891->1889 1896 1574a3d-1574a41 1892->1896 1897 1574a4b 1892->1897 1893->1892 1895 1574a2f 1893->1895 1895->1892 1896->1897 1898 1574a43 1896->1898 1899 1574a4c 1897->1899 1898->1897 1899->1899
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VBm$\VBm
                                            • API String ID: 0-2856288231
                                            • Opcode ID: c085f0fa85e48afc1b252d50b1ecbe215740fd056e779c0772c22db2531fb430
                                            • Instruction ID: 5f8d2d61462328c54abe682bce4c63445565dad0286bc1ce3f710cdcbd4cdc69
                                            • Opcode Fuzzy Hash: c085f0fa85e48afc1b252d50b1ecbe215740fd056e779c0772c22db2531fb430
                                            • Instruction Fuzzy Hash: B1715C70E00209DFDB14DFADD8827AEBBF2BF88714F148129E415AB254EB749842CF95
                                            Function 015747F4 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1900 15747f4-157488c 1903 15748d6-15748d8 1900->1903 1904 157488e-1574899 1900->1904 1906 15748da-15748f2 1903->1906 1904->1903 1905 157489b-15748a7 1904->1905 1907 15748ca-15748d4 1905->1907 1908 15748a9-15748b3 1905->1908 1912 15748f4-15748ff 1906->1912 1913 157493c-157493e 1906->1913 1907->1906 1910 15748b7-15748c6 1908->1910 1911 15748b5 1908->1911 1910->1910 1914 15748c8 1910->1914 1911->1910 1912->1913 1916 1574901-157490d 1912->1916 1915 1574940-1574952 1913->1915 1914->1907 1923 1574959-1574985 1915->1923 1917 1574930-157493a 1916->1917 1918 157490f-1574919 1916->1918 1917->1915 1919 157491d-157492c 1918->1919 1920 157491b 1918->1920 1919->1919 1922 157492e 1919->1922 1920->1919 1922->1917 1924 157498b-1574999 1923->1924 1925 15749a2-15749b0 1924->1925 1926 157499b-15749a1 1924->1926 1929 15749b8-15749c2 1925->1929 1926->1925 1930 15749cc-15749ff 1929->1930 1933 1574a01-1574a05 1930->1933 1934 1574a0f-1574a13 1930->1934 1933->1934 1935 1574a07-1574a0a call 1570ab8 1933->1935 1936 1574a15-1574a19 1934->1936 1937 1574a23-1574a27 1934->1937 1935->1934 1936->1937 1939 1574a1b-1574a1e call 1570ab8 1936->1939 1940 1574a37-1574a3b 1937->1940 1941 1574a29-1574a2d 1937->1941 1939->1937 1944 1574a3d-1574a41 1940->1944 1945 1574a4b 1940->1945 1941->1940 1943 1574a2f 1941->1943 1943->1940 1944->1945 1946 1574a43 1944->1946 1947 1574a4c 1945->1947 1946->1945 1947->1947
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VBm$\VBm
                                            • API String ID: 0-2856288231
                                            • Opcode ID: 8fae7ac66195b2ed93e29b9a4a7aa03a13353f8ddcaef7859fa7024d11cbcdd7
                                            • Instruction ID: eac323fd1bc991c73aa74f802cf54ed608eda78e3e9ef1bc026b8e657fa145cb
                                            • Opcode Fuzzy Hash: 8fae7ac66195b2ed93e29b9a4a7aa03a13353f8ddcaef7859fa7024d11cbcdd7
                                            • Instruction Fuzzy Hash: FB714BB0D00249DFDB10DFADD9827AEBBF2BF48314F148129E419AB254EB749842CF95
                                            Function 01576EC7 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2015 1576ec7-1576ee6 2016 1576eeb-1576f32 call 1576c30 2015->2016 2025 1576f34-1576f4d call 1576754 2016->2025 2026 1576f4e-1576f64 2016->2026 2026->2016 2030 1576f66-1576f7c 2026->2030 2031 1576f7e-1576f81 2030->2031 2033 1576f83 call 1577910 2031->2033 2034 1576f91-1576f94 2031->2034 2039 1576f89-1576f8c 2033->2039 2035 1576fc7-1576fca 2034->2035 2036 1576f96-1576faa 2034->2036 2037 1576fde-1576fe1 2035->2037 2038 1576fcc-1576fd3 2035->2038 2049 1576fb0 2036->2049 2050 1576fac-1576fae 2036->2050 2042 1576fe3-1577018 2037->2042 2043 157701d-157701f 2037->2043 2040 15770db-15770e2 2038->2040 2041 1576fd9 2038->2041 2039->2034 2045 15770e4 2040->2045 2046 15770f1-15770f7 2040->2046 2041->2037 2042->2043 2047 1577026-1577029 2043->2047 2048 1577021 2043->2048 2063 15770e4 call 644ed60 2045->2063 2064 15770e4 call 644ed70 2045->2064 2065 15770e4 call 644ef0f 2045->2065 2047->2031 2052 157702f-157703e 2047->2052 2048->2047 2051 1576fb3-1576fc2 2049->2051 2050->2051 2051->2035 2056 1577040-1577043 2052->2056 2057 1577068-157707d 2052->2057 2053 15770ea 2053->2046 2059 157704b-1577066 2056->2059 2057->2040 2059->2056 2059->2057 2063->2053 2064->2053 2065->2053
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$LR]q
                                            • API String ID: 0-3917262905
                                            • Opcode ID: 04e4e2dfb73e09a74178d3ef04c3a4b14befbcd4a2ddef7d3adc5e3f925ece28
                                            • Instruction ID: 8f202f469f40406ccb91cefaf3077b0e1ea6c176e14527956055083c853eabb4
                                            • Opcode Fuzzy Hash: 04e4e2dfb73e09a74178d3ef04c3a4b14befbcd4a2ddef7d3adc5e3f925ece28
                                            • Instruction Fuzzy Hash: A651E030A102058FEB16DF78E45579EBBB2FF89300F10846AE405EF281DB719846CB51
                                            Function 0642E9A0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2681 642e9a0-642e9af 2682 642e9b1-642e9be call 642de84 2681->2682 2683 642e9db-642e9df 2681->2683 2688 642e9c0-642e9ce call 642ec28 2682->2688 2689 642e9d4-642e9da 2682->2689 2685 642e9f3-642ea34 2683->2685 2686 642e9e0-642e9eb 2683->2686 2693 642ea41-642ea4f 2685->2693 2694 642ea36-642ea3e 2685->2694 2686->2685 2688->2689 2700 642eb10-642ebd0 2688->2700 2689->2683 2695 642ea73-642ea75 2693->2695 2696 642ea51-642ea56 2693->2696 2694->2693 2701 642ea78-642ea7f 2695->2701 2698 642ea61 2696->2698 2699 642ea58-642ea5f call 642de90 2696->2699 2703 642ea63-642ea71 2698->2703 2699->2703 2732 642ebd2-642ebd5 2700->2732 2733 642ebd8-642ec03 GetModuleHandleW 2700->2733 2704 642ea81-642ea89 2701->2704 2705 642ea8c-642ea93 2701->2705 2703->2701 2704->2705 2707 642eaa0-642eaa9 call 6426fd8 2705->2707 2708 642ea95-642ea9d 2705->2708 2713 642eab6-642eabb 2707->2713 2714 642eaab-642eab3 2707->2714 2708->2707 2716 642ead9-642eadd 2713->2716 2717 642eabd-642eac4 2713->2717 2714->2713 2738 642eae0 call 642eef8 2716->2738 2739 642eae0 call 642eee9 2716->2739 2717->2716 2718 642eac6-642ead6 call 642c890 call 642dea0 2717->2718 2718->2716 2721 642eae3-642eae6 2723 642eae8-642eb06 2721->2723 2724 642eb09-642eb0f 2721->2724 2723->2724 2732->2733 2734 642ec05-642ec0b 2733->2734 2735 642ec0c-642ec20 2733->2735 2734->2735 2738->2721 2739->2721
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4494935733.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6420000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: dfe73088fcfbe5089c362f6e692c5f9b23261dafc4b005424df8777401406ccc
                                            • Instruction ID: d2d69849fad294330a99c8ee33038b7e78da1f6513286a0736194e29af73472c
                                            • Opcode Fuzzy Hash: dfe73088fcfbe5089c362f6e692c5f9b23261dafc4b005424df8777401406ccc
                                            • Instruction Fuzzy Hash: F1711270A00B168FD7A5DF6AD44475ABBF5BF88200F20892ED09AD7B50DB74E909CB90
                                            Function 064266D3 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2740 64266d3-64266d7 2741 64266d8-642676c DuplicateHandle 2740->2741 2742 6426775-6426792 2741->2742 2743 642676e-6426774 2741->2743 2743->2742
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0642675F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4494935733.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6420000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ccc0e9c3eaf66f1ff51856149b24113df2990aed04ec26f53dcf6968957c1f83
                                            • Instruction ID: ea0922f2bdbb0f2279eea877a1e3d087f5e6101381295ca90408582d437b7a75
                                            • Opcode Fuzzy Hash: ccc0e9c3eaf66f1ff51856149b24113df2990aed04ec26f53dcf6968957c1f83
                                            • Instruction Fuzzy Hash: CD21E7B5D002199FDB10DF99D984ADEBFF8EB48310F14841AE914A7310D778A940CFA1
                                            Function 064266D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0642675F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4494935733.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6420000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 0511eec4a45f34a63735c14b5913917b9a089d2ece6955cc3695a0b94ac3989c
                                            • Instruction ID: e37ca6f4530be8abba10cd5bbec8d26c003ce1cef20e1735e69cd9ca8e62f2f3
                                            • Opcode Fuzzy Hash: 0511eec4a45f34a63735c14b5913917b9a089d2ece6955cc3695a0b94ac3989c
                                            • Instruction Fuzzy Hash: 4021E3B5D002099FDB10DFAAD984ADEBBF8EB48310F14801AE918A3310D778A940CFA0
                                            Function 06422768 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 064227EB
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4494935733.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6420000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 15033187c5ddd3770a48dcbe58c77c8ed823a62c9888b7d1517da0376223db1c
                                            • Instruction ID: 5c8952926dbc1f83d6ab08db53c88dec35f96fb1843c50d58f61390a9a0b7af0
                                            • Opcode Fuzzy Hash: 15033187c5ddd3770a48dcbe58c77c8ed823a62c9888b7d1517da0376223db1c
                                            • Instruction Fuzzy Hash: 1921F575D042598FCB54DFA9C844BEFBBF5FB88310F24841AE459A7250C7749A41CFA1
                                            Function 06422770 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 064227EB
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4494935733.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6420000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 277cbdbf23ae3d6d34673b1d8c5a9a477485f96226f213f90497b1f32534c827
                                            • Instruction ID: 4ce484b16724d36a026f0b2a577d99a758916c953cc35da9b0669f244c316473
                                            • Opcode Fuzzy Hash: 277cbdbf23ae3d6d34673b1d8c5a9a477485f96226f213f90497b1f32534c827
                                            • Instruction Fuzzy Hash: EF2104B5D042198FCB54DF99C844BEEFBF5BB88310F20842AE418A7250C774A940CFA1
                                            Function 0644E308 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(8B55063E), ref: 0644E377
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4495059295.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6440000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: bed3af5e43080e1517ee3ef7ab05f2597be8a43aeaaa2e34422d17ef4011ae60
                                            • Instruction ID: 1bdd0b57dbbc0dd8e00481aeb8688f3d4f094c5196bb87536c8bf2e433b6e728
                                            • Opcode Fuzzy Hash: bed3af5e43080e1517ee3ef7ab05f2597be8a43aeaaa2e34422d17ef4011ae60
                                            • Instruction Fuzzy Hash: 691100B1C006599BDB10DF9AD545BEEFBB4FF48324F10812AE818A7250D778A945CFE1
                                            Function 0644E310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(8B55063E), ref: 0644E377
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4495059295.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6440000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: a44138586356fca34cb6b1a4223ffc06ebd7397601062cf97b95720d12b872ca
                                            • Instruction ID: 8da1eaefb4f0f8b3fccdbd900510ecb6238252fe79821f781c28769927264341
                                            • Opcode Fuzzy Hash: a44138586356fca34cb6b1a4223ffc06ebd7397601062cf97b95720d12b872ca
                                            • Instruction Fuzzy Hash: EA111FB1C006599BCB10DF9AC444BAEFBF8BF48320F10812AD818A7250D778A940CFE1
                                            Function 0642DE84 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0642E9BC), ref: 0642EBF6
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4494935733.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_6420000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: add3b9555afbadbf246c8cf6c918db4e19e6f36457817ad47ce5d00f57388eb8
                                            • Instruction ID: 1418bb03025b63a5aafb753346caa6159ec4868433a702ffa7ad7b52108f7ee7
                                            • Opcode Fuzzy Hash: add3b9555afbadbf246c8cf6c918db4e19e6f36457817ad47ce5d00f57388eb8
                                            • Instruction Fuzzy Hash: 6211F0B5C003598FDB10DF9AC448AAEFBF4EB49210F20842AD529B7210D379A545CFA5
                                            Function 01573E64 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VBm
                                            • API String ID: 0-971115878
                                            • Opcode ID: be3ffea30dcd5b2eb66abccf2081011b062e4ae089e5e74a0b192389078ed3b0
                                            • Instruction ID: c72a0bb51a4ffad96b4ccc461372cf88cb0a37506d3235ae37f6f8c5066770a7
                                            • Opcode Fuzzy Hash: be3ffea30dcd5b2eb66abccf2081011b062e4ae089e5e74a0b192389078ed3b0
                                            • Instruction Fuzzy Hash: C7917F70E00209DFDF10DFA9E9827EDBBF1BF88354F148129E419AB254EB749845CB91
                                            Function 0157F31D Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: 98f57ef4b7d82df4e4a44dd5b72c26b6edf6655f84807d436d05327a67487e40
                                            • Instruction ID: 9894ab405c7ff49e6e5060a864f436a2b5da41af5ec10bca5f880c983d68406b
                                            • Opcode Fuzzy Hash: 98f57ef4b7d82df4e4a44dd5b72c26b6edf6655f84807d436d05327a67487e40
                                            • Instruction Fuzzy Hash: 64312030B002058FDB19AB38E46166E3BE7BF89240F204439D01ADB399DF35CC46CBA1
                                            Function 01576F68 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 0818848cecc06194f963f6232c898cd8344eb81f177c544dfa204d8f96522fdd
                                            • Instruction ID: ca253f23e0c757e3322032054519fa44e60a9234e4a7925076995b6cde7020d6
                                            • Opcode Fuzzy Hash: 0818848cecc06194f963f6232c898cd8344eb81f177c544dfa204d8f96522fdd
                                            • Instruction Fuzzy Hash: EB319034E102099FEB16CFA8E45679DB7B1FF89300F508825E815EF240EB71A985CF51
                                            Function 01576B91 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 1b7fa009e74a7ea13617f9aacf80b1604be4b8babcd2c70cd8aea9c625b643cf
                                            • Instruction ID: 1decdb1921af7c2f5abb726241aeeea0a08bdad9ce1278af1d325f8120de95c7
                                            • Opcode Fuzzy Hash: 1b7fa009e74a7ea13617f9aacf80b1604be4b8babcd2c70cd8aea9c625b643cf
                                            • Instruction Fuzzy Hash: 8F2135327042068FC705AB7CD465B9E77F6EF85300F008869D009CB355DE798C468792
                                            Function 01577910 Relevance: .6, Instructions: 554COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3e6f355d0ddb3eef088b7fe0ff533477d6aafee34e5fbf00caff254c225d9e6
                                            • Instruction ID: 9471e55733ebf96965b737be42e9ffb1dc624fd8e3963687e76c9fa13f838063
                                            • Opcode Fuzzy Hash: f3e6f355d0ddb3eef088b7fe0ff533477d6aafee34e5fbf00caff254c225d9e6
                                            • Instruction Fuzzy Hash: D4123B307102069FCB6AAB38F555A2C37AAFB89314F104A39E416CB365CF75EC56CB91
                                            Function 015796E8 Relevance: .4, Instructions: 366COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84ff40c188dfaeb592f05a3ec26b82c9f9647b69337f6f519584c7b0cec33adb
                                            • Instruction ID: 0c578ffa17427399ba2c9dceb773cce59b62f4e71c4c746bb365686004a7b5fd
                                            • Opcode Fuzzy Hash: 84ff40c188dfaeb592f05a3ec26b82c9f9647b69337f6f519584c7b0cec33adb
                                            • Instruction Fuzzy Hash: 84D1D070B002058FDB14DF68E8817AEBBB6FB89324F14856AE509DF396D770D841CBA1
                                            Function 0157936C Relevance: .3, Instructions: 308COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5b1e1b1413bb9748caa9640145c8ec241e913675edd657be10d6259c7173d01
                                            • Instruction ID: 79b1551ce5b96c001d7d918564ecf2ae82065fc8b41760158972e2217afc2824
                                            • Opcode Fuzzy Hash: c5b1e1b1413bb9748caa9640145c8ec241e913675edd657be10d6259c7173d01
                                            • Instruction Fuzzy Hash: 26B19034A001058FCB19DFA8E595AADBBF6FF88324F204529E506DB395DB74DD42CBA0
                                            Function 01574A7C Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 025adf7803bfa90e0c1422454076bd3fb75c694d6bdb1e1effcceaeaf54ccca7
                                            • Instruction ID: 3f42921daac7169a31e7733fd9711beedc14005c289dfcb24e466a703a084d3c
                                            • Opcode Fuzzy Hash: 025adf7803bfa90e0c1422454076bd3fb75c694d6bdb1e1effcceaeaf54ccca7
                                            • Instruction Fuzzy Hash: B5A15E70E00219CFDF10CFA9E9867ADBBF2BF88314F148529D459EB294EB749845CB81
                                            Function 01576CCD Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31ded8a0ae0dd6c55a205eef0ce9cd99af3614a7cf5cc2cac9c42dc8870b87f9
                                            • Instruction ID: 33a6848e6472197248e1c71370a1820a68a04b45ba97f0781a801701557c256a
                                            • Opcode Fuzzy Hash: 31ded8a0ae0dd6c55a205eef0ce9cd99af3614a7cf5cc2cac9c42dc8870b87f9
                                            • Instruction Fuzzy Hash: 815114B0D106198FEB14CFA9D845B9DBBF1BF48304F148529D819BB391DB749844CF95
                                            Function 01576CD8 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acbf991be8736c2eec5adeb8a60386b82fe5866846745ea6088c1f48a793f7b2
                                            • Instruction ID: 4a2ea1ca36ea8cf206cad660d71c57ab7eb09310e6cbd4807d11e38b442e16c5
                                            • Opcode Fuzzy Hash: acbf991be8736c2eec5adeb8a60386b82fe5866846745ea6088c1f48a793f7b2
                                            • Instruction Fuzzy Hash: 67510270D106188FEB18CFA9D885B9EBBF1BF48314F148529E819BB291DB74A844CF95
                                            Function 0157112A Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6655e0d5b78b7115499f452503384131506c2b584710dc50ba290c15e23a7c7f
                                            • Instruction ID: 2f643f72933992a41f02102a449789000171c5dbd03f1455170627d464297b50
                                            • Opcode Fuzzy Hash: 6655e0d5b78b7115499f452503384131506c2b584710dc50ba290c15e23a7c7f
                                            • Instruction Fuzzy Hash: 53510A7160224ADFCB79EFA8F9A1D443FA5FB653047004979D0059B63DDB386D49CB90
                                            Function 01571138 Relevance: .1, Instructions: 109COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7575818e2de077ec643a10c7b5f5b1b3ed45974a35869c607cc6ff192771eba
                                            • Instruction ID: a2fe631cc428783b237cad8e6e23e0cbf2766698b8bb8225dcecd61b82e6fd21
                                            • Opcode Fuzzy Hash: f7575818e2de077ec643a10c7b5f5b1b3ed45974a35869c607cc6ff192771eba
                                            • Instruction Fuzzy Hash: FD51097020224ADFCB6AEFA8F9A1D443FA6FB653143008979D0049B23DDB386D49DB90
                                            Function 0157F1E0 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ced8dea66a0f2b796abbe77b0724fab9febb10334ddc32a846b43bca5af09ce
                                            • Instruction ID: 77a4c45b9992f63648b6b457fc101cb615a7e61deeec7901db690a4c90c170ca
                                            • Opcode Fuzzy Hash: 9ced8dea66a0f2b796abbe77b0724fab9febb10334ddc32a846b43bca5af09ce
                                            • Instruction Fuzzy Hash: 28316135E106059BCB19CFA9D89569EB7B6FF89300F10851AE816EB350DB70E942CB91
                                            Function 01579257 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76510b7be62ba020adc8798780d5efdd50c3fdcb33420d7215e10b65b985e85e
                                            • Instruction ID: d7e68f6505664c5dd81d4b7650965f95abd36ee30f1fe6fee5eb9d716e3d78f3
                                            • Opcode Fuzzy Hash: 76510b7be62ba020adc8798780d5efdd50c3fdcb33420d7215e10b65b985e85e
                                            • Instruction Fuzzy Hash: 2831D330E0020A9BDB15DFA9E49579EF7B6FF84318F148519E805EF341DB749942CBA1
                                            Function 015726CE Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e6051128d8f3b29ad46366b33f9c7519d9c958b675e7204dfa9974ecda92651
                                            • Instruction ID: 7d5fc3be225a51d3e7262d35bd03bcff6a2e3d4b903dec2753dac554e6ccc503
                                            • Opcode Fuzzy Hash: 6e6051128d8f3b29ad46366b33f9c7519d9c958b675e7204dfa9974ecda92651
                                            • Instruction Fuzzy Hash: C241FEB4D003499FDB10CFA9C985ADEBFB5FF08310F24842AE819AB254DB759946CB90
                                            Function 0157F1F0 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2eaaee1be47a5bc785806f8905f5f1cf29363071a57b73fdd22690bbac20aa48
                                            • Instruction ID: c8afe02cea9b73235cc8792b0f5bd6b94371644907562dee4dd1414bc3336218
                                            • Opcode Fuzzy Hash: 2eaaee1be47a5bc785806f8905f5f1cf29363071a57b73fdd22690bbac20aa48
                                            • Instruction Fuzzy Hash: 81316034E106099BCB19CFA9D85569EB7B6BF89300F10851AE816EB350DB70ED42CB91
                                            Function 015726D8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c4f0d1d74a92415de5076b90911bd8ce9bc5c66528eb7f4328d22643b6f8d2a
                                            • Instruction ID: 4330d83799dc70270da68fc7193a6652298ae13d7dee13fba79fc9fc070bf741
                                            • Opcode Fuzzy Hash: 1c4f0d1d74a92415de5076b90911bd8ce9bc5c66528eb7f4328d22643b6f8d2a
                                            • Instruction Fuzzy Hash: 3E410EB0D003489FDB10DFA9C584ADEBFF5FF48310F208429E809AB254DB75A946CB90
                                            Function 0157168F Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c427b17a19272aaec4e4845ce645b7da4aa5e43511d14d6524dcecef6b74afa9
                                            • Instruction ID: 5d345b51a4d3480f603f26c30d32450fe700174cc7bb5536993af39f30970e1e
                                            • Opcode Fuzzy Hash: c427b17a19272aaec4e4845ce645b7da4aa5e43511d14d6524dcecef6b74afa9
                                            • Instruction Fuzzy Hash: 403106B96004068FDF36EA28F8D7B2D7759FB50304F100926E00ACF65AEB2CD846CB91
                                            Function 01579268 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3b89228115ab4ef8b63d146392636e6b52c919fb2fec706285f77de016d4b94
                                            • Instruction ID: 5b74c8aa8b66260cd78fea0d9d9d2aa1a3c2f7f182334f0903c99e4195de8356
                                            • Opcode Fuzzy Hash: b3b89228115ab4ef8b63d146392636e6b52c919fb2fec706285f77de016d4b94
                                            • Instruction Fuzzy Hash: A921D334E0020A9BDB15DFA9E49169EF7B6FF89314F10C619E805EB341DB70D842CBA1
                                            Function 01579159 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 405a9405058eef9dde2c6ed8a769ddfeb17a68da3acbb40700d1a6c86c56413e
                                            • Instruction ID: a385a61a8f5b2677b3837195aac52fa09a9384a6a9f0367fab85579150c74c95
                                            • Opcode Fuzzy Hash: 405a9405058eef9dde2c6ed8a769ddfeb17a68da3acbb40700d1a6c86c56413e
                                            • Instruction Fuzzy Hash: ED21C835E002099BCB15DFA4E8556DEF7B2FF89354F108519E815FB341DB709942CB61
                                            Function 01574F7A Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d28bfe355e41d983c6d4944f1e473f523096dc14fceb61a53d28b0bc577e5b34
                                            • Instruction ID: 30cd4cf5c20ca532dadb47b0d6e3888cf431b2d907d00022a87fd1617fbbe9c6
                                            • Opcode Fuzzy Hash: d28bfe355e41d983c6d4944f1e473f523096dc14fceb61a53d28b0bc577e5b34
                                            • Instruction Fuzzy Hash: 21213934700209CFDB68EB79D559AAD77F2FB8D240B200478E506EB3A5DB369D41CB51
                                            Function 01571868 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5910b5544fbf7c1fe1bceda693c9b1ddf5b0caa556dfea33519f7aeb60fb9f7
                                            • Instruction ID: 91a0486df789dbe62a16c1b361078c73070e45d07c33d26115396527ffc7b9e9
                                            • Opcode Fuzzy Hash: a5910b5544fbf7c1fe1bceda693c9b1ddf5b0caa556dfea33519f7aeb60fb9f7
                                            • Instruction Fuzzy Hash: 1D213E30B0060ACFDB65EB78D99ABAE77F1BB59245F100869D106EF394DB368D01CB91
                                            Function 0157FE18 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e86380d8ceb701ae524748839302fc4d73beb1bc4123e1600b712f8339bc0beb
                                            • Instruction ID: 77b9e68ab34bc3c580ce56678f714490a61129440fd9a66e248189f608b0f3b9
                                            • Opcode Fuzzy Hash: e86380d8ceb701ae524748839302fc4d73beb1bc4123e1600b712f8339bc0beb
                                            • Instruction Fuzzy Hash: B911E1357083A81FDB4A6F78581046E3FAAEFC621071104AAE406CB292CE248D1283F6
                                            Function 011ED124 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4485901761.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_11ed000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9fed436c68634bab86d0c5222eb9fca5f4593c0b080660a0d076b20ddc49d5e0
                                            • Instruction ID: 9d729be40d228c0f461f577956d0355ff67a99e2ec97c6dae38faa5fe08605ed
                                            • Opcode Fuzzy Hash: 9fed436c68634bab86d0c5222eb9fca5f4593c0b080660a0d076b20ddc49d5e0
                                            • Instruction Fuzzy Hash: 63213771604600DFDF09DFA8E9C8B26BBA5FB84314F20C5ADD9094B392C33AD446CB62
                                            Function 01571370 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fb887a73336cd00726c4c2bcb7ed22dfb001b7a250f915befbdbd0b6bc82c4f
                                            • Instruction ID: 9559995dbb2ecac09723a81d8e318856d3662d1bed4f89a04946a87f2dd1f936
                                            • Opcode Fuzzy Hash: 4fb887a73336cd00726c4c2bcb7ed22dfb001b7a250f915befbdbd0b6bc82c4f
                                            • Instruction Fuzzy Hash: 902184746006118FDB3B577CF4DA76C3B6AFB42319F14056AE54ACF392DA29C885C742
                                            Function 01579168 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb67c7de2801401ce09a44e1803ec016641b4dc0ea2a89a85bd473e720a43ddc
                                            • Instruction ID: 7991498fee7444d403689c131c864b2568c1c70db4e561fae12449c16e973abd
                                            • Opcode Fuzzy Hash: fb67c7de2801401ce09a44e1803ec016641b4dc0ea2a89a85bd473e720a43ddc
                                            • Instruction Fuzzy Hash: C121C630E002099BCB19DFA5E85599EF7B2FF89314F10C51AE815FB380DB70A941CBA1
                                            Function 01571878 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42086cffd2eb6dd47953631a8df9177a2b3fd3a86801c08f04747d87d4da652b
                                            • Instruction ID: 055dcc41b85294ed29a209482484951ba730a9e01ea913737b592e559204feef
                                            • Opcode Fuzzy Hash: 42086cffd2eb6dd47953631a8df9177a2b3fd3a86801c08f04747d87d4da652b
                                            • Instruction Fuzzy Hash: 45213D30B00609CFDB65EB78D596BAE77F6BB89241F100868D506EF354DB368D05CBA1
                                            Function 015716A0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c62da4d6663db17e44bbb7b4617507edbd5b39724d0b1ff4cf6b76a327de29c
                                            • Instruction ID: f8baaa757af92d8c77ae1461d921871ca87558876c12fe594d109284b0b812a7
                                            • Opcode Fuzzy Hash: 0c62da4d6663db17e44bbb7b4617507edbd5b39724d0b1ff4cf6b76a327de29c
                                            • Instruction Fuzzy Hash: 39216F786105068FDF36EA28F8D6B1D775AFB54304F104936E00ACF26ADB3CD8458B92
                                            Function 01574F88 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80de7bddb80f98ae214506f754e136802e03693476c3b69b397d7e7aaf81c19b
                                            • Instruction ID: 16208504a4022fee30a3b242bbd799b4bfae626cdea3dea97bddb82ab8ee907b
                                            • Opcode Fuzzy Hash: 80de7bddb80f98ae214506f754e136802e03693476c3b69b397d7e7aaf81c19b
                                            • Instruction Fuzzy Hash: EB211634700209CFDB69EB79D559AAD77F2BB8D240B100468E506EB3A5EB329D44CB91
                                            Function 01570848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b5242c1659d300f37fa988633f08e1be738808e2a597ab11037e022bc61781a
                                            • Instruction ID: 4d236d3db402a0099a9e697121e300bb08e8cd43f5361393b6f746d818649cb7
                                            • Opcode Fuzzy Hash: 2b5242c1659d300f37fa988633f08e1be738808e2a597ab11037e022bc61781a
                                            • Instruction Fuzzy Hash: A3119E30B102099BEF66AA7DE45676E76D5FB46214F20493AF00ACF2D2DA25DC858BC1
                                            Function 01570838 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1a6fa8fa49cf1c39d17102929e9ebe610fda990d69b32734f7d6fdc319c25d4b
                                            • Instruction ID: 62293f4e80ebb54d9c65e401c6177c3096b3212835fbef6b5c1e81c93c81acf5
                                            • Opcode Fuzzy Hash: 1a6fa8fa49cf1c39d17102929e9ebe610fda990d69b32734f7d6fdc319c25d4b
                                            • Instruction Fuzzy Hash: 6711C630B103059BEF665A78E41237E36D5FB82314F20493AF406CF2C2DA69DC818BC1
                                            Function 015707F9 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e8c1170e51533a4be16621f84f58e49e046a9f51f5da633bc54e62b3d4ac505
                                            • Instruction ID: f427e3093a90aa9d4dd615701bd4fd5909f5578ca8dce837b9393f9d3b3247d7
                                            • Opcode Fuzzy Hash: 9e8c1170e51533a4be16621f84f58e49e046a9f51f5da633bc54e62b3d4ac505
                                            • Instruction Fuzzy Hash: 8411E371A002058BEF266A7DE5623AE36D5FF43218F144876F005CF2C2EA69D8868BC1
                                            Function 01571478 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acc55d625ef891fb9088d0c4ec6e6847931dd28de2a51c431ddca489e84e3277
                                            • Instruction ID: 27583542611bb14796bfd701459adad482810a29a84efcd41fd77ee1ea22855b
                                            • Opcode Fuzzy Hash: acc55d625ef891fb9088d0c4ec6e6847931dd28de2a51c431ddca489e84e3277
                                            • Instruction Fuzzy Hash: C711A971E007168FCB55EFBC94961AD77F6FF55210B240479E805EB381D735D8428BA1
                                            Function 015717B2 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 322c1a0feac6e40c6bcbb38bc33273ecc933f742fd3147d4d477a9acdd603920
                                            • Instruction ID: 1f0d06765ceaa929bdd8003bf93a79009ceacb0c5843d5b927a2d1cd6e773526
                                            • Opcode Fuzzy Hash: 322c1a0feac6e40c6bcbb38bc33273ecc933f742fd3147d4d477a9acdd603920
                                            • Instruction Fuzzy Hash: D8112B75B002159FCF50ABB5984575EBFE9FB48250F204839FA4AD7340EB34C9028792
                                            Function 01571488 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 075f672658a3e29b8ba04fa8bc7fdfa4324261c7480105aca64bfff4d3967195
                                            • Instruction ID: 1de9eade13095958762121216b5dc8a069c83a253c129af3fd8b28ab8994a0d6
                                            • Opcode Fuzzy Hash: 075f672658a3e29b8ba04fa8bc7fdfa4324261c7480105aca64bfff4d3967195
                                            • Instruction Fuzzy Hash: E3018431E007168FCB65EFBC948119D7BF5FF89210B150479E805EB281E635D8428B91
                                            Function 011ED11F Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4485901761.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_11ed000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: ec39450c98e5ef93bb6a65f63f8df05a5fd5153c0472a9476059ade8b04cb211
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 8F11D075504680CFDB0ACF58D9C4B15BFB1FB44314F24C6A9D8494B652C33AD44ACB62
                                            Function 01579890 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e54c8d1fa14aca50cb44c141aa85d7c91cd26d808e0202cfd0f234cea5b0fd1
                                            • Instruction ID: 0204b3edad8c23f5b90df8e8acec2511bea7af3ee0d61e53b59e06e9de3277da
                                            • Opcode Fuzzy Hash: 2e54c8d1fa14aca50cb44c141aa85d7c91cd26d808e0202cfd0f234cea5b0fd1
                                            • Instruction Fuzzy Hash: 1C11C830A001058FDB18EF65E984B8ABBAAFF81314F648274C8485F299D7B4D946C7A1
                                            Function 015780F8 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6018db6fbffb02ada8bf0220822275c1b7436de27c882cc49827c69dfc6d2809
                                            • Instruction ID: 33f56496ab9394406d5b3db515431eb8923092d31efd9937ee4775797504b658
                                            • Opcode Fuzzy Hash: 6018db6fbffb02ada8bf0220822275c1b7436de27c882cc49827c69dfc6d2809
                                            • Instruction Fuzzy Hash: 19018F7494010EDFCB45EFA8F951A9C7BB6EF50204F104275C00997258DB39AA0A8B91
                                            Function 01577080 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9e58f32f6fc4adbc623d10922dd3823403d8b5b1f1a732dcfccbae55dcc9b61
                                            • Instruction ID: f06cffaf5e8e7584343bd46566e481fd9438ac6752a624305d13558491bd9eb7
                                            • Opcode Fuzzy Hash: f9e58f32f6fc4adbc623d10922dd3823403d8b5b1f1a732dcfccbae55dcc9b61
                                            • Instruction Fuzzy Hash: 7D01DA357002148FD719DB64E569B6C7BB2FB88315F144464E50ADB3A0DB359D46CF41
                                            Function 01571514 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 00cb979cc763afae2dfc1aea2b51ddef17bf66101a34e0e82546991d9d74b5e9
                                            • Instruction ID: 650a3ced1c1fa715d9e5ba2286363e80818bb61c9fdc34eefd9d851706d89d2c
                                            • Opcode Fuzzy Hash: 00cb979cc763afae2dfc1aea2b51ddef17bf66101a34e0e82546991d9d74b5e9
                                            • Instruction Fuzzy Hash: 89F0F677A046518BDB218BB8A4D21ACBBE5FEA9111B1800D7D906DF291D234D442CB51
                                            Function 01578108 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4486550902.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1570000_GLOWINGSEA_RFQ_1105-12-24-3077-103-AUX.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0662137cc07698be9c55bf140d2e39f406e9c56fc3585b33637579d64f50be9
                                            • Instruction ID: f24e917db83cbbe12fcbfe6a0593de0c675fc694e263656ebd0dde1ef40a7e36
                                            • Opcode Fuzzy Hash: e0662137cc07698be9c55bf140d2e39f406e9c56fc3585b33637579d64f50be9
                                            • Instruction Fuzzy Hash: E4F01D7490010EDFCB55EFB4FA5199D7BB9EF50204F504679C0099B258DB356A098B91