Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gcerti Quote.exe

Overview

General Information

Sample name:Gcerti Quote.exe
Analysis ID:1428412
MD5:9a6474186b145552217cf4d421309733
SHA1:b21733889432abe65233736ce0e0289f8f3bddc4
SHA256:3815bc3a78dc96a0af4aca4446b3afa741d3910530ae69b06895b0e499d49aa6
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Gcerti Quote.exe (PID: 968 cmdline: "C:\Users\user\Desktop\Gcerti Quote.exe" MD5: 9A6474186B145552217CF4D421309733)
    • Gcerti Quote.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\Gcerti Quote.exe" MD5: 9A6474186B145552217CF4D421309733)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1               "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Gcerti Quote.exe.37d7690.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Gcerti Quote.exe.37d7690.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Gcerti Quote.exe.37d7690.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3175b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31877:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31953:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a79:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.Gcerti Quote.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  2.2.Gcerti Quote.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 208.91.198.143, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Gcerti Quote.exe, Initiated: true, ProcessId: 7140, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49708

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1 "}
                    Multi AV Scanner detection for submitted file
                    Source: Gcerti Quote.exeReversingLabs: Detection: 65%
                    Machine Learning detection for sample
                    Source: Gcerti Quote.exeJoe Sandbox ML: detected
                    Source: Gcerti Quote.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49707 version: TLS 1.2
                    Source: Gcerti Quote.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 4x nop then jmp 05798C07h0_2_05798D0D

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.199.223:587
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.199.224:587
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.199.225:587
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.199.223:587
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.199.224:587
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 208.91.199.225:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Gcerti Quote.exe, 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.italiacanda-it.com
                    Source: Gcerti Quote.exe, 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, K6raBsUk6.cs.Net Code: _1kx
                    Source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, K6raBsUk6.cs.Net Code: _1kx

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: Gcerti Quote.exe, ExceptionMessage.csLarge array initialization: : array initializer size 616592
                    Source: 0.2.Gcerti Quote.exe.258a3e4.0.raw.unpack, .csLarge array initialization: : array initializer size 13798
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_00D0E2400_2_00D0E240
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_0579A8D80_2_0579A8D8
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_05798AA00_2_05798AA0
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_057943600_2_05794360
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_05794BD00_2_05794BD0
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_05798A900_2_05798A90
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_015A8D882_2_015A8D88
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_015AD6F72_2_015AD6F7
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_015A8C302_2_015A8C30
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_015AB8B82_2_015AB8B8
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018CE1C12_2_018CE1C1
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018C4A982_2_018C4A98
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018CAA1B2_2_018CAA1B
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018C3E802_2_018C3E80
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018C41C82_2_018C41C8
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018C0D772_2_018C0D77
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD65E82_2_06DD65E8
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD55A82_2_06DD55A8
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD7D782_2_06DD7D78
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DDB2202_2_06DDB220
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD30602_2_06DD3060
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DDC1702_2_06DDC170
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD76982_2_06DD7698
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD5CDB2_2_06DD5CDB
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD05A82_2_06DD05A8
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DDE3882_2_06DDE388
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD23702_2_06DD2370
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_06DD00072_2_06DD0007
                    Source: Gcerti Quote.exe, 00000000.00000002.1345046966.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000000.00000002.1350157359.00000000050C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000000.00000002.1350519021.00000000059B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000000.00000002.1345999029.00000000025B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000000.00000002.1345999029.0000000002561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exe, 00000002.00000002.2574622576.00000000012F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Gcerti Quote.exe
                    Source: Gcerti Quote.exeBinary or memory string: OriginalFilenameNsUw.exe4 vs Gcerti Quote.exe
                    Source: Gcerti Quote.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Gcerti Quote.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, pdY2feOEB7Q4P75scM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, pdY2feOEB7Q4P75scM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/5
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gcerti Quote.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMutant created: \Sessions\1\BaseNamedObjects\ahhuFzThKm
                    Source: Gcerti Quote.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Gcerti Quote.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Gcerti Quote.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile read: C:\Users\user\Desktop\Gcerti Quote.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe"
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe"
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Gcerti Quote.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Gcerti Quote.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.cs.Net Code: Lh2YaPILsp System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.cs.Net Code: Lh2YaPILsp System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Gcerti Quote.exe.258a3e4.0.raw.unpack, LoginForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_00D06230 push esp; ret 0_2_00D06239
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_057904E6 push esi; ret 0_2_057904E7
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_05798700 push ebp; iretd 0_2_05798725
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_05798681 push ebp; iretd 0_2_057986A5
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_05795192 push E8FFFFFFh; iretd 0_2_0579519D
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 0_2_057903D2 push FFFFFFC4h; iretd 0_2_057903D4
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeCode function: 2_2_018C0CB5 push edi; ret 2_2_018C0CC2
                    Source: Gcerti Quote.exeStatic PE information: section name: .text entropy: 7.927894078342841
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, a29hdazao4dduN4f76.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'v1jA7IHm5Y', 'EmWApkPJBZ', 'yGQAGVrX0G', 't77AitcT1N', 'fV5AxoNb3D', 'y1rAAchnQE', 'Ij1AVOQyAP'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, qr6IqWHA39delcefpUo.csHigh entropy of concatenated method names: 'SEWAfEnm3A', 'OodAPo9E16', 'bjHAafZq4S', 'Uo8AClEps4', 'NpNA6mhtbR', 'X9hAdlWDjQ', 'Mq3AMwZT8T', 'KS9ARY2BBg', 'LwnALT2CuZ', 'BhoAjF5nky'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, PTTuyVMcmfFe0NCfK2.csHigh entropy of concatenated method names: 'MxBxtTZEHm', 'L3axmSc1kv', 'GvDxbx32dN', 'Pc1xyk5VYc', 'ffExvyT8TO', 'vLgxKM1d5k', 'rZBxq1qL9K', 'DOvx1ZaxLE', 'xeyxhh0KX9', 'dQLxEobWZm'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, cJHxb8HlRmHiGWECoTQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1OVO4JXK9', 'm6bVuGlZUU', 'pvpVBYCdIf', 'O9SV21sw1g', 'VVtVHPhJ00', 'i9vVZLMxp0', 'V37VgEac8G'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, a3Mh7yCaXvKwHiXv4S.csHigh entropy of concatenated method names: 'Dispose', 'tCnonLZsEa', 'bDv5FiFcwH', 'FlUQQ8xS0W', 'uedo9LfDWE', 'rMkozjhXD0', 'ProcessDialogKey', 'PRv5l2iBQj', 'fVk5odW5fu', 'ymy55fVNQv'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, UXCjChnYhaI7UNr4qS.csHigh entropy of concatenated method names: 'WKr7RJIfpe', 'TO17LFh0WW', 'GqV7kwBA4U', 'Gip7F9ApvX', 'tkW7e9VGxx', 'OFR78mE8aI', 'jCW73SgYQh', 'HaF7srenMa', 'qUm74w5TQP', 'Sdr7IogTwK'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.csHigh entropy of concatenated method names: 'Q97D0mDPAi', 'gmwDtlk7Bp', 'm77DmZkOnX', 'UlkDboGfvZ', 'zERDytFrP0', 'oPADvjUNwu', 'Ge8DKYnNeK', 'DqFDqoVqm2', 'nnmD1LChCn', 'WcvDhtPFXp'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, pyiYrm0BKK73XikD28.csHigh entropy of concatenated method names: 'Xnhy670egr', 'GCgyMehNHE', 'i8NbXc6AgE', 'M2Nbe4NacV', 'UiZb88NbDl', 'LeCbSFGLDO', 'LjWb3ViKTd', 'kJubsgJ2ba', 'VSPbwVDvEn', 'DLnb4DpKl2'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, gFdexHFaaD4cEJcs8p.csHigh entropy of concatenated method names: 'JMVAwqE8i3T539TSGhR', 'HWsK2fE1CLtDyJop4j4', 'gAmvxFZkx7', 'aGkvAFQqAA', 'flsvV30S6n', 'XIyla6E0PBjqgjjmiG8', 'KdTYtAElD6Y6hXYEDYM'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, pdY2feOEB7Q4P75scM.csHigh entropy of concatenated method names: 'BfLmOZHLem', 'h2KmuKgsuc', 'MaWmBxcXjN', 'NJCm2ZU90m', 'CnmmHUOcJU', 'dGMmZSn0pE', 'Opnmgas0MR', 'aSimcReBLs', 'rhlmnia7tb', 'Yhmm9NB974'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, wJq0MfDIUfaouA28xv.csHigh entropy of concatenated method names: 'ToString', 'umHGIpWM0m', 'ceFGFtd7On', 'cCOGX9iqfL', 'li8Ge5sc7v', 'dDjG8sqZJV', 'SIZGSjLmRe', 'o1EG3YljPl', 'g65GseR9Ks', 'kKBGw3JdjV'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, Ixoro1td292Qgwk5VC.csHigh entropy of concatenated method names: 'qerv0YKErY', 'c4Xvm0dKTZ', 'f1yvyAXq40', 'mVlvKLN5kA', 'twPvqj7kwK', 'ASbyHyNPqQ', 'Rs4yZLBTkt', 'HmpygKoetV', 'GtZyckAROu', 'c0WynmGJRT'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, znf9XtUuUtKixFr9mg.csHigh entropy of concatenated method names: 'QNAaZE9Hr', 'dwfCKvjO5', 'I40du2VIf', 'stEMyrxfk', 'g1WLAmbvQ', 'jkwjMJGdu', 'H8osRTXDo3IBiKAxyi', 'B5ed36u6DgXo7FU9oF', 'HvdxvjEdD', 'J9hVenFWl'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, nnuegImrahOMABdQ4W.csHigh entropy of concatenated method names: 'pBpp4ZSrKT', 'vvxpTWtWFv', 'LFSpOZs0ED', 'pxkpuUhJfX', 'FdSpFlWhsn', 'UD8pXUm2m9', 'H94peaye9L', 'guhp8fDTML', 'nABpSWehc0', 'hVbp3T3oH5'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, uTAC5xb39sKkx4FDuH.csHigh entropy of concatenated method names: 'K6uAoDLUCL', 'q4oADeLhFw', 'owmAYW7Drv', 'YV8AtUaetQ', 'AObAme2vCT', 'SipAyiXRuo', 'OACAvfsJH1', 'UnpxgyKgQi', 'OlixcsaR3D', 'AHdxnkxYpG'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, RMYX84IMaUr9MYjOPo.csHigh entropy of concatenated method names: 'MnQicRkKWc', 'Lndi9Ba55J', 'vSMxlKJ5PD', 'DYxxokhR8b', 'noCiI4CPLd', 'msIiTfngLd', 'InYiUpSaUq', 'zU9iOeCNyi', 'xtciu7KSZJ', 'tNRiBasn7u'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, hdFvDjkss96iwQgJW4.csHigh entropy of concatenated method names: 'HjaKf7YF6V', 'V1nKPcdeaw', 'iKvKaia1p9', 'gIiKCCEfES', 'hVoK6Os80v', 'BXxKdfKkDv', 'XTXKMCfFYy', 'ynhKRcn9FX', 'qcOKLXOLfh', 'LZaKjcxF7p'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, PRSON4XLlc79GlsfC0.csHigh entropy of concatenated method names: 'lbLKtbfZfS', 'KVFKbMoKqH', 'A1WKvMusgu', 'qvnv9TfyTE', 'jivvzY9Vpr', 'oyIKlmN9Xu', 'C6NKoh4tBB', 'Q6OK5iJDSn', 'yUYKD4QRTb', 'ODbKYRYUnp'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, o8P50JT6AyrEU9YL5X.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o6w5ntI4p3', 'DZp59QFAlo', 'Yee5zJs56m', 'o7CDlYuGmZ', 'XsXDo1nyME', 'NhYD5JJ91J', 'TRoDDm0wro', 'I3m5r5PPH57y5Vnkpyj'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, xX3kTQ6DmFsDnV1E8k.csHigh entropy of concatenated method names: 'zZwbCIboQV', 'VfMbdNfVE3', 'pAvbRIEFd8', 'mcjbLNYqhv', 'X1cbpg1ad1', 'gZ0bGjgAO1', 'WhWbiOtBWs', 'H1vbxFi4BN', 'CFnbAgBNBW', 'tDQbVB3YTy'
                    Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, TIEOMsKaTE6wXAYRRl.csHigh entropy of concatenated method names: 'pKNoKZop2a', 'faOoqS2RRv', 'i2dohLEbYy', 'dAEoE6ZTKC', 'EANoptIfwk', 'bVvoGRQV4X', 'KNl6qYOV0KeWdvOOsA', 'df9KhvyG4gp4qjZHuD', 'hq3ooKamPE', 'Q4boD8r7j6'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, a29hdazao4dduN4f76.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'v1jA7IHm5Y', 'EmWApkPJBZ', 'yGQAGVrX0G', 't77AitcT1N', 'fV5AxoNb3D', 'y1rAAchnQE', 'Ij1AVOQyAP'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, qr6IqWHA39delcefpUo.csHigh entropy of concatenated method names: 'SEWAfEnm3A', 'OodAPo9E16', 'bjHAafZq4S', 'Uo8AClEps4', 'NpNA6mhtbR', 'X9hAdlWDjQ', 'Mq3AMwZT8T', 'KS9ARY2BBg', 'LwnALT2CuZ', 'BhoAjF5nky'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, PTTuyVMcmfFe0NCfK2.csHigh entropy of concatenated method names: 'MxBxtTZEHm', 'L3axmSc1kv', 'GvDxbx32dN', 'Pc1xyk5VYc', 'ffExvyT8TO', 'vLgxKM1d5k', 'rZBxq1qL9K', 'DOvx1ZaxLE', 'xeyxhh0KX9', 'dQLxEobWZm'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, cJHxb8HlRmHiGWECoTQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1OVO4JXK9', 'm6bVuGlZUU', 'pvpVBYCdIf', 'O9SV21sw1g', 'VVtVHPhJ00', 'i9vVZLMxp0', 'V37VgEac8G'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, a3Mh7yCaXvKwHiXv4S.csHigh entropy of concatenated method names: 'Dispose', 'tCnonLZsEa', 'bDv5FiFcwH', 'FlUQQ8xS0W', 'uedo9LfDWE', 'rMkozjhXD0', 'ProcessDialogKey', 'PRv5l2iBQj', 'fVk5odW5fu', 'ymy55fVNQv'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, UXCjChnYhaI7UNr4qS.csHigh entropy of concatenated method names: 'WKr7RJIfpe', 'TO17LFh0WW', 'GqV7kwBA4U', 'Gip7F9ApvX', 'tkW7e9VGxx', 'OFR78mE8aI', 'jCW73SgYQh', 'HaF7srenMa', 'qUm74w5TQP', 'Sdr7IogTwK'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.csHigh entropy of concatenated method names: 'Q97D0mDPAi', 'gmwDtlk7Bp', 'm77DmZkOnX', 'UlkDboGfvZ', 'zERDytFrP0', 'oPADvjUNwu', 'Ge8DKYnNeK', 'DqFDqoVqm2', 'nnmD1LChCn', 'WcvDhtPFXp'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, pyiYrm0BKK73XikD28.csHigh entropy of concatenated method names: 'Xnhy670egr', 'GCgyMehNHE', 'i8NbXc6AgE', 'M2Nbe4NacV', 'UiZb88NbDl', 'LeCbSFGLDO', 'LjWb3ViKTd', 'kJubsgJ2ba', 'VSPbwVDvEn', 'DLnb4DpKl2'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, gFdexHFaaD4cEJcs8p.csHigh entropy of concatenated method names: 'JMVAwqE8i3T539TSGhR', 'HWsK2fE1CLtDyJop4j4', 'gAmvxFZkx7', 'aGkvAFQqAA', 'flsvV30S6n', 'XIyla6E0PBjqgjjmiG8', 'KdTYtAElD6Y6hXYEDYM'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, pdY2feOEB7Q4P75scM.csHigh entropy of concatenated method names: 'BfLmOZHLem', 'h2KmuKgsuc', 'MaWmBxcXjN', 'NJCm2ZU90m', 'CnmmHUOcJU', 'dGMmZSn0pE', 'Opnmgas0MR', 'aSimcReBLs', 'rhlmnia7tb', 'Yhmm9NB974'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, wJq0MfDIUfaouA28xv.csHigh entropy of concatenated method names: 'ToString', 'umHGIpWM0m', 'ceFGFtd7On', 'cCOGX9iqfL', 'li8Ge5sc7v', 'dDjG8sqZJV', 'SIZGSjLmRe', 'o1EG3YljPl', 'g65GseR9Ks', 'kKBGw3JdjV'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, Ixoro1td292Qgwk5VC.csHigh entropy of concatenated method names: 'qerv0YKErY', 'c4Xvm0dKTZ', 'f1yvyAXq40', 'mVlvKLN5kA', 'twPvqj7kwK', 'ASbyHyNPqQ', 'Rs4yZLBTkt', 'HmpygKoetV', 'GtZyckAROu', 'c0WynmGJRT'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, znf9XtUuUtKixFr9mg.csHigh entropy of concatenated method names: 'QNAaZE9Hr', 'dwfCKvjO5', 'I40du2VIf', 'stEMyrxfk', 'g1WLAmbvQ', 'jkwjMJGdu', 'H8osRTXDo3IBiKAxyi', 'B5ed36u6DgXo7FU9oF', 'HvdxvjEdD', 'J9hVenFWl'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, nnuegImrahOMABdQ4W.csHigh entropy of concatenated method names: 'pBpp4ZSrKT', 'vvxpTWtWFv', 'LFSpOZs0ED', 'pxkpuUhJfX', 'FdSpFlWhsn', 'UD8pXUm2m9', 'H94peaye9L', 'guhp8fDTML', 'nABpSWehc0', 'hVbp3T3oH5'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, uTAC5xb39sKkx4FDuH.csHigh entropy of concatenated method names: 'K6uAoDLUCL', 'q4oADeLhFw', 'owmAYW7Drv', 'YV8AtUaetQ', 'AObAme2vCT', 'SipAyiXRuo', 'OACAvfsJH1', 'UnpxgyKgQi', 'OlixcsaR3D', 'AHdxnkxYpG'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, RMYX84IMaUr9MYjOPo.csHigh entropy of concatenated method names: 'MnQicRkKWc', 'Lndi9Ba55J', 'vSMxlKJ5PD', 'DYxxokhR8b', 'noCiI4CPLd', 'msIiTfngLd', 'InYiUpSaUq', 'zU9iOeCNyi', 'xtciu7KSZJ', 'tNRiBasn7u'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, hdFvDjkss96iwQgJW4.csHigh entropy of concatenated method names: 'HjaKf7YF6V', 'V1nKPcdeaw', 'iKvKaia1p9', 'gIiKCCEfES', 'hVoK6Os80v', 'BXxKdfKkDv', 'XTXKMCfFYy', 'ynhKRcn9FX', 'qcOKLXOLfh', 'LZaKjcxF7p'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, PRSON4XLlc79GlsfC0.csHigh entropy of concatenated method names: 'lbLKtbfZfS', 'KVFKbMoKqH', 'A1WKvMusgu', 'qvnv9TfyTE', 'jivvzY9Vpr', 'oyIKlmN9Xu', 'C6NKoh4tBB', 'Q6OK5iJDSn', 'yUYKD4QRTb', 'ODbKYRYUnp'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, o8P50JT6AyrEU9YL5X.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o6w5ntI4p3', 'DZp59QFAlo', 'Yee5zJs56m', 'o7CDlYuGmZ', 'XsXDo1nyME', 'NhYD5JJ91J', 'TRoDDm0wro', 'I3m5r5PPH57y5Vnkpyj'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, xX3kTQ6DmFsDnV1E8k.csHigh entropy of concatenated method names: 'zZwbCIboQV', 'VfMbdNfVE3', 'pAvbRIEFd8', 'mcjbLNYqhv', 'X1cbpg1ad1', 'gZ0bGjgAO1', 'WhWbiOtBWs', 'H1vbxFi4BN', 'CFnbAgBNBW', 'tDQbVB3YTy'
                    Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, TIEOMsKaTE6wXAYRRl.csHigh entropy of concatenated method names: 'pKNoKZop2a', 'faOoqS2RRv', 'i2dohLEbYy', 'dAEoE6ZTKC', 'EANoptIfwk', 'bVvoGRQV4X', 'KNl6qYOV0KeWdvOOsA', 'df9KhvyG4gp4qjZHuD', 'hq3ooKamPE', 'Q4boD8r7j6'
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 5A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 6A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 6C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 7C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWindow / User API: threadDelayed 1311Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWindow / User API: threadDelayed 8550Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 3304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 6388Thread sleep count: 1311 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99865s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 6388Thread sleep count: 8550 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99308s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99170s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -99031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97470s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -97015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96905s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96790s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -96031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -95047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -94937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -94719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -94594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084Thread sleep time: -94469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99865Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99750Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99308Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99170Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97470Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97125Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 97015Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96905Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96790Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96687Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96578Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96468Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96359Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96250Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96140Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 96031Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95922Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95812Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95703Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95374Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95265Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 95047Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 94937Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 94719Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 94594Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeThread delayed: delay time: 94469Jump to behavior
                    Source: Gcerti Quote.exe, 00000002.00000002.2574684975.0000000001456000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll||
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeMemory written: C:\Users\user\Desktop\Gcerti Quote.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeProcess created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Users\user\Desktop\Gcerti Quote.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Users\user\Desktop\Gcerti Quote.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 7140, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Gcerti Quote.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 7140, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Gcerti Quote.exe PID: 7140, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Gcerti Quote.exe66%ReversingLabsByteCode-MSIL.Trojan.LokiBot
                    Gcerti Quote.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.143
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        smtp.italiacanda-it.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgGcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://account.dyn.com/Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://smtp.italiacanda-it.comGcerti Quote.exe, 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.ipify.org/tGcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://us2.smtp.mailhostbox.comGcerti Quote.exe, 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        208.91.198.143
                                        		us2.smtp.mailhostbox.comUnited States
                                        		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                        104.26.12.205
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        208.91.199.225
                                        		unknownUnited States
                                        		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                        208.91.199.223
                                        		unknownUnited States
                                        		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                        208.91.199.224
                                        		unknownUnited States
                                        		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1428412
                                        Start date and time:2024-04-18 22:35:10 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 57s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:10
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Gcerti Quote.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@2/5
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 84
                                        • Number of non-executed functions: 4
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: Gcerti Quote.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        22:36:02API Interceptor22937x Sleep call for process: Gcerti Quote.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        208.91.198.143Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                          CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                            PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                              rks18.docGet hashmaliciousAgentTeslaBrowse
                                                PayFmc6FL4.exeGet hashmaliciousAgentTeslaBrowse
                                                  DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                    J2TDUpZm2s.exeGet hashmaliciousAgentTeslaBrowse
                                                      J1odVFynAz.exeGet hashmaliciousAgentTeslaBrowse
                                                        Doc via Dhl.exeGet hashmaliciousAgentTeslaBrowse
                                                          Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                            104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                            • api.ipify.org/
                                                            lods.cmdGet hashmaliciousRemcosBrowse
                                                            • api.ipify.org/
                                                            208.91.199.225Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                                              CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                                PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                                                  rks18.docGet hashmaliciousAgentTeslaBrowse
                                                                    PayFmc6FL4.exeGet hashmaliciousAgentTeslaBrowse
                                                                      DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                                        J2TDUpZm2s.exeGet hashmaliciousAgentTeslaBrowse
                                                                          J1odVFynAz.exeGet hashmaliciousAgentTeslaBrowse
                                                                            Doc via Dhl.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Quote.exeGet hashmaliciousAgentTeslaBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                us2.smtp.mailhostbox.comSyknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.225
                                                                                rks18.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.225
                                                                                PayFmc6FL4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                J2TDUpZm2s.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                J1odVFynAz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.225
                                                                                Doc via Dhl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                api.ipify.orgShipping Dcuments_CI PKL_HL_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 172.67.74.152
                                                                                hesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.12.205
                                                                                order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.13.205
                                                                                SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.13.205
                                                                                Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.13.205
                                                                                RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.13.205
                                                                                order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.13.205
                                                                                Scan-IMG PO Order CW289170-A CW201.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 172.67.74.152
                                                                                TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.13.205
                                                                                PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 172.67.74.152

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                PUBLIC-DOMAIN-REGISTRYUSSyknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                F723838674.vbsGet hashmaliciousRemcosBrowse
                                                                                • 116.206.104.215
                                                                                CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 162.215.248.214
                                                                                Bill-Transcript_6ZB6-IJYD3B-SEH0.htmlGet hashmaliciousUnknownBrowse
                                                                                • 45.113.122.212
                                                                                rks18.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PayFmc6FL4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                • 116.206.104.215
                                                                                DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                CLOUDFLARENETUSwFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                                                                                • 104.28.24.146
                                                                                https://nwcchicago-my.sharepoint.com/:b:/p/jpsanavaitis/EZA36vHeUQxCnJ96O418g94BWiWpCx4SyNTLHION5X1T7g?e=N00DO7Get hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.25.14
                                                                                https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FBigge/aDRmd79087aDRmd79087aDRmd/ZHN3ZWF6YUBiaWdnZS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.2.184
                                                                                PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                • 172.67.206.230
                                                                                https://dinamicconsultores.app.questorpublico.com.br/Get hashmaliciousHTMLPhisherBrowse
                                                                                • 104.21.235.213
                                                                                PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                • 172.67.206.230
                                                                                PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                • 172.67.206.230
                                                                                Shipping Dcuments_CI PKL_HL_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 172.67.74.152
                                                                                F723838674.vbsGet hashmaliciousUnknownBrowse
                                                                                • 104.21.84.67
                                                                                hesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.12.205
                                                                                PUBLIC-DOMAIN-REGISTRYUSSyknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                F723838674.vbsGet hashmaliciousRemcosBrowse
                                                                                • 116.206.104.215
                                                                                CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 162.215.248.214
                                                                                Bill-Transcript_6ZB6-IJYD3B-SEH0.htmlGet hashmaliciousUnknownBrowse
                                                                                • 45.113.122.212
                                                                                rks18.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PayFmc6FL4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                • 116.206.104.215
                                                                                DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PUBLIC-DOMAIN-REGISTRYUSSyknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                F723838674.vbsGet hashmaliciousRemcosBrowse
                                                                                • 116.206.104.215
                                                                                CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 162.215.248.214
                                                                                Bill-Transcript_6ZB6-IJYD3B-SEH0.htmlGet hashmaliciousUnknownBrowse
                                                                                • 45.113.122.212
                                                                                rks18.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                PayFmc6FL4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                                • 116.206.104.215
                                                                                DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0eShipping Dcuments_CI PKL_HL_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.12.205
                                                                                hesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.12.205
                                                                                Request for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                • 104.26.12.205
                                                                                Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                • 104.26.12.205
                                                                                F723838674.vbsGet hashmaliciousRemcosBrowse
                                                                                • 104.26.12.205
                                                                                order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.12.205
                                                                                SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.12.205
                                                                                DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.12.205
                                                                                Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                                                • 104.26.12.205
                                                                                Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                • 104.26.12.205

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gcerti Quote.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Gcerti Quote.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1415
                                                                                Entropy (8bit):5.352427679901606
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                                MD5:97AD91F1C1F572C945DA12233082171D
                                                                                SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                                SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                                SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.918086947891207
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                File name:Gcerti Quote.exe
                                                                                File size:700'928 bytes
                                                                                MD5:9a6474186b145552217cf4d421309733
                                                                                SHA1:b21733889432abe65233736ce0e0289f8f3bddc4
                                                                                SHA256:3815bc3a78dc96a0af4aca4446b3afa741d3910530ae69b06895b0e499d49aa6
                                                                                SHA512:33f247c4ef21221d983927b7f2f54a63d51d23840bfb4edfb9aac32f8a2b6856566c78c00e3ce147e574b1b61526f16c2c7f818f4a291d006183be6e73b7b416
                                                                                SSDEEP:12288:urfrr2rrDirIlL3zxlDB3gHSmlNyqrCysnM8f/zR0NIV8ngQItKxKQCHrdWnuS:5lL3zxlD5aTl0VpM4/F0NA8ngQPird8X
                                                                                TLSH:C8E4120C9BEC8E08C95D477CF593984447B2E717E243EF2B6DD460E91EB6BC88680697
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:9931c5b98687b385

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4ab6ce
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x661F0FD8 [Tue Apr 16 23:55:04 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xab6800x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x1600.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000xa96d40xa9800ef9d8f712ece18ded85feb06be479352False0.9435538232853983data7.927894078342841IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xac0000x16000x16005cf77b12f7274d3dd8a187ae0bd0929fFalse0.7345525568181818data6.524734925945253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xae0000xc0x20058a8b0674ea75aa500eda598cc07472dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0xac0c80xf5dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9125349605898805
                                                                                RT_GROUP_ICON0xad0380x14data1.05
                                                                                RT_VERSION0xad05c0x3c0data0.4510416666666667

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 18, 2024 22:36:04.150291920 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.150327921 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.150501966 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.159868002 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.159881115 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.382164001 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.382352114 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.385936022 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.385945082 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.386308908 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.426199913 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.436577082 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.484122038 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.689331055 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.689398050 CEST44349707104.26.12.205192.168.2.9
                                                                                Apr 18, 2024 22:36:04.689573050 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:04.698801041 CEST49707443192.168.2.9104.26.12.205
                                                                                Apr 18, 2024 22:36:05.451648951 CEST49708587192.168.2.9208.91.198.143
                                                                                Apr 18, 2024 22:36:06.457361937 CEST49708587192.168.2.9208.91.198.143
                                                                                Apr 18, 2024 22:36:08.457372904 CEST49708587192.168.2.9208.91.198.143
                                                                                Apr 18, 2024 22:36:12.460035086 CEST49708587192.168.2.9208.91.198.143
                                                                                Apr 18, 2024 22:36:20.457425117 CEST49708587192.168.2.9208.91.198.143
                                                                                Apr 18, 2024 22:36:26.473980904 CEST49708587192.168.2.9208.91.199.223
                                                                                Apr 18, 2024 22:36:27.488600016 CEST49708587192.168.2.9208.91.199.223
                                                                                Apr 18, 2024 22:36:29.488640070 CEST49708587192.168.2.9208.91.199.223
                                                                                Apr 18, 2024 22:36:33.504281044 CEST49708587192.168.2.9208.91.199.223
                                                                                Apr 18, 2024 22:36:41.504239082 CEST49708587192.168.2.9208.91.199.223
                                                                                Apr 18, 2024 22:36:47.504698992 CEST49708587192.168.2.9208.91.199.224
                                                                                Apr 18, 2024 22:36:48.519892931 CEST49708587192.168.2.9208.91.199.224
                                                                                Apr 18, 2024 22:36:50.519994974 CEST49708587192.168.2.9208.91.199.224
                                                                                Apr 18, 2024 22:36:54.520066977 CEST49708587192.168.2.9208.91.199.224
                                                                                Apr 18, 2024 22:37:02.519840956 CEST49708587192.168.2.9208.91.199.224
                                                                                Apr 18, 2024 22:37:08.520081997 CEST49708587192.168.2.9208.91.199.225
                                                                                Apr 18, 2024 22:37:09.519836903 CEST49708587192.168.2.9208.91.199.225
                                                                                Apr 18, 2024 22:37:11.519932985 CEST49708587192.168.2.9208.91.199.225
                                                                                Apr 18, 2024 22:37:15.519984007 CEST49708587192.168.2.9208.91.199.225
                                                                                Apr 18, 2024 22:37:23.519828081 CEST49708587192.168.2.9208.91.199.225

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 18, 2024 22:36:04.034859896 CEST5818453192.168.2.91.1.1.1
                                                                                Apr 18, 2024 22:36:04.139656067 CEST53581841.1.1.1192.168.2.9
                                                                                Apr 18, 2024 22:36:05.207449913 CEST6232153192.168.2.91.1.1.1
                                                                                Apr 18, 2024 22:36:05.449570894 CEST53623211.1.1.1192.168.2.9

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Apr 18, 2024 22:36:04.034859896 CEST192.168.2.91.1.1.10xc029Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:05.207449913 CEST192.168.2.91.1.1.10x3dbaStandard query (0)smtp.italiacanda-it.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Apr 18, 2024 22:36:04.139656067 CEST1.1.1.1192.168.2.90xc029No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:04.139656067 CEST1.1.1.1192.168.2.90xc029No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:04.139656067 CEST1.1.1.1192.168.2.90xc029No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:05.449570894 CEST1.1.1.1192.168.2.90x3dbaNo error (0)smtp.italiacanda-it.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:05.449570894 CEST1.1.1.1192.168.2.90x3dbaNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:05.449570894 CEST1.1.1.1192.168.2.90x3dbaNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:05.449570894 CEST1.1.1.1192.168.2.90x3dbaNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                Apr 18, 2024 22:36:05.449570894 CEST1.1.1.1192.168.2.90x3dbaNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • api.ipify.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.949707104.26.12.2054437140C:\Users\user\Desktop\Gcerti Quote.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-04-18 20:36:04 UTC155OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2024-04-18 20:36:04 UTC211INHTTP/1.1 200 OK
                                                                                Date: Thu, 18 Apr 2024 20:36:04 GMT
                                                                                Content-Type: text/plain
                                                                                Content-Length: 12
                                                                                Connection: close
                                                                                Vary: Origin
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Server: cloudflare
                                                                                CF-RAY: 876771e89dd578d1-ATL
                                                                                2024-04-18 20:36:04 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                                                Data Ascii: 81.181.57.52


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:22:36:01
                                                                                Start date:18/04/2024
                                                                                Path:C:\Users\user\Desktop\Gcerti Quote.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\Gcerti Quote.exe"
                                                                                Imagebase:0x190000
                                                                                File size:700'928 bytes
                                                                                MD5 hash:9A6474186B145552217CF4D421309733
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:22:36:02
                                                                                Start date:18/04/2024
                                                                                Path:C:\Users\user\Desktop\Gcerti Quote.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\Gcerti Quote.exe"
                                                                                Imagebase:0xe90000
                                                                                File size:700'928 bytes
                                                                                MD5 hash:9A6474186B145552217CF4D421309733
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:13.3%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:8.5%
                                                                                  Total number of Nodes:213
                                                                                  Total number of Limit Nodes:20
                                                                                  execution_graph 17422 d04a50 17423 d04a59 17422->17423 17424 d04a5f 17423->17424 17426 d04b48 17423->17426 17427 d04b6d 17426->17427 17431 d04c58 17427->17431 17435 d04c48 17427->17435 17433 d04c7f 17431->17433 17432 d04d5c 17432->17432 17433->17432 17439 d0489c 17433->17439 17437 d04c7f 17435->17437 17436 d04d5c 17436->17436 17437->17436 17438 d0489c CreateActCtxA 17437->17438 17438->17436 17440 d05ce8 CreateActCtxA 17439->17440 17442 d05dab 17440->17442 17443 579b870 FindCloseChangeNotification 17444 579b8d7 17443->17444 17445 5799960 17446 5799aeb 17445->17446 17448 5799986 17445->17448 17448->17446 17449 5797e7c 17448->17449 17450 5799be0 PostMessageW 17449->17450 17451 5799c4c 17450->17451 17451->17448 17452 57977e0 17453 57977ea 17452->17453 17455 5797429 17452->17455 17454 57975ee 17455->17454 17458 5798769 17455->17458 17480 5798778 17455->17480 17459 5798792 17458->17459 17460 579879a 17459->17460 17502 5798cc9 17459->17502 17508 5799336 17459->17508 17511 57990f6 17459->17511 17522 5798ef7 17459->17522 17525 57993d2 17459->17525 17531 5798a90 17459->17531 17541 5798e91 17459->17541 17552 5798bfe 17459->17552 17562 57990dc 17459->17562 17573 5798dfd 17459->17573 17579 5798ebb 17459->17579 17584 5798d38 17459->17584 17589 5798dc0 17459->17589 17600 5798aa0 17459->17600 17610 579948f 17459->17610 17615 579922f 17459->17615 17621 5798f8c 17459->17621 17626 5798d4c 17459->17626 17632 5798ca8 17459->17632 17460->17454 17481 5798792 17480->17481 17482 579879a 17481->17482 17483 5798d38 2 API calls 17481->17483 17484 5798ebb 2 API calls 17481->17484 17485 5798dfd 2 API calls 17481->17485 17486 57990dc 5 API calls 17481->17486 17487 5798bfe 4 API calls 17481->17487 17488 5798e91 5 API calls 17481->17488 17489 5798a90 4 API calls 17481->17489 17490 57993d2 3 API calls 17481->17490 17491 5798ef7 Wow64SetThreadContext 17481->17491 17492 57990f6 5 API calls 17481->17492 17493 5799336 Wow64SetThreadContext 17481->17493 17494 5798cc9 3 API calls 17481->17494 17495 5798ca8 2 API calls 17481->17495 17496 5798d4c 2 API calls 17481->17496 17497 5798f8c 3 API calls 17481->17497 17498 579922f 2 API calls 17481->17498 17499 579948f 2 API calls 17481->17499 17500 5798aa0 4 API calls 17481->17500 17501 5798dc0 5 API calls 17481->17501 17482->17454 17483->17482 17484->17482 17485->17482 17486->17482 17487->17482 17488->17482 17489->17482 17490->17482 17491->17482 17492->17482 17493->17482 17494->17482 17495->17482 17496->17482 17497->17482 17498->17482 17499->17482 17500->17482 17501->17482 17503 5798cd2 17502->17503 17638 5796ce8 17503->17638 17642 5796ce7 17503->17642 17646 5796ce1 17503->17646 17504 5798ff0 17504->17460 17650 5796b50 17508->17650 17513 5798dc4 17511->17513 17512 57996c5 17512->17460 17513->17512 17515 5798cb1 17513->17515 17654 5796a98 17513->17654 17658 5796aa2 17513->17658 17662 5796aa0 17513->17662 17514 5799031 17514->17460 17515->17514 17666 5796c28 17515->17666 17670 5796c21 17515->17670 17516 57992f8 17516->17460 17524 5796b50 Wow64SetThreadContext 17522->17524 17523 5798f11 17523->17460 17524->17523 17526 5799589 17525->17526 17528 5796ce8 WriteProcessMemory 17526->17528 17529 5796ce1 WriteProcessMemory 17526->17529 17530 5796ce7 WriteProcessMemory 17526->17530 17527 57995c1 17528->17527 17529->17527 17530->17527 17533 5798aa1 17531->17533 17532 5798b69 17532->17460 17533->17532 17674 5796f70 17533->17674 17678 5796f64 17533->17678 17534 5798c89 17536 5799031 17534->17536 17539 5796c28 VirtualAllocEx 17534->17539 17540 5796c21 VirtualAllocEx 17534->17540 17535 57992f8 17535->17460 17536->17460 17539->17535 17540->17535 17543 5798e4d 17541->17543 17542 57996c5 17542->17460 17543->17542 17544 5798cb1 17543->17544 17549 5796a98 ResumeThread 17543->17549 17550 5796aa0 ResumeThread 17543->17550 17551 5796aa2 ResumeThread 17543->17551 17546 5799031 17544->17546 17547 5796c28 VirtualAllocEx 17544->17547 17548 5796c21 VirtualAllocEx 17544->17548 17545 57992f8 17545->17460 17546->17460 17547->17545 17548->17545 17549->17543 17550->17543 17551->17543 17554 5798b74 17552->17554 17553 5798b69 17553->17460 17554->17553 17558 5796f70 CreateProcessA 17554->17558 17559 5796f64 CreateProcessA 17554->17559 17555 5798c89 17557 5799031 17555->17557 17560 5796c28 VirtualAllocEx 17555->17560 17561 5796c21 VirtualAllocEx 17555->17561 17556 57992f8 17556->17460 17557->17460 17558->17555 17559->17555 17560->17556 17561->17556 17564 5798e36 17562->17564 17563 57996c5 17563->17460 17564->17563 17565 5798cb1 17564->17565 17570 5796a98 ResumeThread 17564->17570 17571 5796aa0 ResumeThread 17564->17571 17572 5796aa2 ResumeThread 17564->17572 17567 5799031 17565->17567 17568 5796c28 VirtualAllocEx 17565->17568 17569 5796c21 VirtualAllocEx 17565->17569 17566 57992f8 17566->17460 17567->17460 17568->17566 17569->17566 17570->17564 17571->17564 17572->17564 17575 5798e17 17573->17575 17574 579928d 17574->17460 17575->17574 17682 5796dd8 17575->17682 17686 5796dd0 17575->17686 17576 57994c7 17580 5798ec1 17579->17580 17582 5796dd8 ReadProcessMemory 17580->17582 17583 5796dd0 ReadProcessMemory 17580->17583 17581 57994c7 17582->17581 17583->17581 17585 57992da 17584->17585 17587 5796c28 VirtualAllocEx 17585->17587 17588 5796c21 VirtualAllocEx 17585->17588 17586 57992f8 17586->17460 17587->17586 17588->17586 17591 5798dc4 17589->17591 17590 57996c5 17590->17460 17591->17590 17592 5798cb1 17591->17592 17597 5796a98 ResumeThread 17591->17597 17598 5796aa0 ResumeThread 17591->17598 17599 5796aa2 ResumeThread 17591->17599 17593 5799031 17592->17593 17595 5796c28 VirtualAllocEx 17592->17595 17596 5796c21 VirtualAllocEx 17592->17596 17593->17460 17594 57992f8 17594->17460 17595->17594 17596->17594 17597->17591 17598->17591 17599->17591 17602 5798ad3 17600->17602 17601 5798b69 17601->17460 17602->17601 17608 5796f70 CreateProcessA 17602->17608 17609 5796f64 CreateProcessA 17602->17609 17603 5798c89 17605 5799031 17603->17605 17606 5796c28 VirtualAllocEx 17603->17606 17607 5796c21 VirtualAllocEx 17603->17607 17604 57992f8 17604->17460 17605->17460 17606->17604 17607->17604 17608->17603 17609->17603 17611 5799495 17610->17611 17612 57994c7 17611->17612 17613 5796dd8 ReadProcessMemory 17611->17613 17614 5796dd0 ReadProcessMemory 17611->17614 17613->17612 17614->17612 17616 5798cb1 17615->17616 17618 5799031 17616->17618 17619 5796c28 VirtualAllocEx 17616->17619 17620 5796c21 VirtualAllocEx 17616->17620 17617 57992f8 17617->17460 17618->17460 17619->17617 17620->17617 17623 5796ce8 WriteProcessMemory 17621->17623 17624 5796ce1 WriteProcessMemory 17621->17624 17625 5796ce7 WriteProcessMemory 17621->17625 17622 5798db9 17622->17460 17623->17622 17624->17622 17625->17622 17628 5798cb1 17626->17628 17627 57992f8 17627->17460 17629 5799031 17628->17629 17630 5796c28 VirtualAllocEx 17628->17630 17631 5796c21 VirtualAllocEx 17628->17631 17629->17460 17630->17627 17631->17627 17633 5798cb1 17632->17633 17635 5799031 17633->17635 17636 5796c28 VirtualAllocEx 17633->17636 17637 5796c21 VirtualAllocEx 17633->17637 17634 57992f8 17634->17460 17635->17460 17636->17634 17637->17634 17639 5796ce9 WriteProcessMemory 17638->17639 17641 5796d87 17639->17641 17641->17504 17643 5796d30 WriteProcessMemory 17642->17643 17645 5796d87 17643->17645 17645->17504 17647 5796ce4 WriteProcessMemory 17646->17647 17649 5796d87 17647->17649 17649->17504 17651 5796b95 Wow64SetThreadContext 17650->17651 17653 5796bdd 17651->17653 17655 5796a9c ResumeThread 17654->17655 17657 5796b11 17655->17657 17657->17513 17659 5796ae0 ResumeThread 17658->17659 17661 5796b11 17659->17661 17661->17513 17663 5796aa1 ResumeThread 17662->17663 17665 5796b11 17663->17665 17665->17513 17667 5796c29 VirtualAllocEx 17666->17667 17669 5796ca5 17667->17669 17669->17516 17671 5796c24 VirtualAllocEx 17670->17671 17673 5796ca5 17671->17673 17673->17516 17675 5796f71 CreateProcessA 17674->17675 17677 57971bb 17675->17677 17677->17677 17679 5796f68 CreateProcessA 17678->17679 17681 57971bb 17679->17681 17681->17681 17683 5796dd9 ReadProcessMemory 17682->17683 17685 5796e67 17683->17685 17685->17576 17687 5796dd4 ReadProcessMemory 17686->17687 17689 5796e67 17687->17689 17689->17576

                                                                                  Executed Functions

                                                                                  Function 0579A8D8 Relevance: .4, Instructions: 399COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 64bebb0add44ffb49bcaa731dd613712f871a4408ad6c741dce54c2fef6da5c2
                                                                                  • Instruction ID: 10249a8d159d5d7f05d670910588fe8bf3eb460762a464a97906cf33bf72b45b
                                                                                  • Opcode Fuzzy Hash: 64bebb0add44ffb49bcaa731dd613712f871a4408ad6c741dce54c2fef6da5c2
                                                                                  • Instruction Fuzzy Hash: 77E1D9707027048FEF29DB65E954BAEB7F7AF89600F148469D1469B390DF34E802CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05798AA0 Relevance: .2, Instructions: 191COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5df51a3eee3174ef3e2f09367308567ff54e12baddfbfc033510a45f4560acb9
                                                                                  • Instruction ID: 7c6eb144fe0a446e7f01c947f1ee5ea20dbddd945cd39df6ceb2d1820417ffad
                                                                                  • Opcode Fuzzy Hash: 5df51a3eee3174ef3e2f09367308567ff54e12baddfbfc033510a45f4560acb9
                                                                                  • Instruction Fuzzy Hash: B0812870D05628CBEB68CF66D944BEDBBB6BF8A300F0481EAD00DA6254DB705AC5DF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05798D0D Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e3dc6303a2e7c1793e3e225568a8480e7f2e777da3116a5431b6750279e3afb
                                                                                  • Instruction ID: 09a7840ef406faccd6c0203d3cb3a0fc27a5e63e2092b8f2405580ade47f4dfd
                                                                                  • Opcode Fuzzy Hash: 9e3dc6303a2e7c1793e3e225568a8480e7f2e777da3116a5431b6750279e3afb
                                                                                  • Instruction Fuzzy Hash: 5DD01234E0E244CFDF49DF64A5485F47AB9AB0B340F0420E9591A97646D22485419A39
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796F64 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 5796f64-5796f66 1 5796f68-5796f6a 0->1 2 5796f6d-5796f6e 0->2 3 5796f6c 1->3 4 5796f71-5797005 1->4 2->4 3->2 6 579703e-579705e 4->6 7 5797007-5797011 4->7 14 5797060-579706a 6->14 15 5797097-57970c6 6->15 7->6 8 5797013-5797015 7->8 9 5797038-579703b 8->9 10 5797017-5797021 8->10 9->6 12 5797023 10->12 13 5797025-5797034 10->13 12->13 13->13 16 5797036 13->16 14->15 17 579706c-579706e 14->17 21 57970c8-57970d2 15->21 22 57970ff-57971b9 CreateProcessA 15->22 16->9 19 5797091-5797094 17->19 20 5797070-579707a 17->20 19->15 23 579707c 20->23 24 579707e-579708d 20->24 21->22 25 57970d4-57970d6 21->25 35 57971bb-57971c1 22->35 36 57971c2-5797248 22->36 23->24 24->24 26 579708f 24->26 27 57970f9-57970fc 25->27 28 57970d8-57970e2 25->28 26->19 27->22 30 57970e4 28->30 31 57970e6-57970f5 28->31 30->31 31->31 32 57970f7 31->32 32->27 35->36 46 5797258-579725c 36->46 47 579724a-579724e 36->47 49 579726c-5797270 46->49 50 579725e-5797262 46->50 47->46 48 5797250 47->48 48->46 52 5797280-5797284 49->52 53 5797272-5797276 49->53 50->49 51 5797264 50->51 51->49 55 5797296-579729d 52->55 56 5797286-579728c 52->56 53->52 54 5797278 53->54 54->52 57 579729f-57972ae 55->57 58 57972b4 55->58 56->55 57->58 60 57972b5 58->60 60->60
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 057971A6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID: SLes$SLes
                                                                                  • API String ID: 963392458-3257090266
                                                                                  • Opcode ID: 8b52cef2aca47d761b7cd992c8dc80f395c1b39e76c722179752c3c8a7f80efa
                                                                                  • Instruction ID: d4acb122f1aab392fe676a2ebdb9c0fc4d43edc1d9a51402609c4a14ec96b677
                                                                                  • Opcode Fuzzy Hash: 8b52cef2aca47d761b7cd992c8dc80f395c1b39e76c722179752c3c8a7f80efa
                                                                                  • Instruction Fuzzy Hash: 97A17C71D107198FEF28CF68D841BEDBBB2FB49300F1481A9E819A7240DB759985DFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796F70 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 61 5796f70-5797005 64 579703e-579705e 61->64 65 5797007-5797011 61->65 72 5797060-579706a 64->72 73 5797097-57970c6 64->73 65->64 66 5797013-5797015 65->66 67 5797038-579703b 66->67 68 5797017-5797021 66->68 67->64 70 5797023 68->70 71 5797025-5797034 68->71 70->71 71->71 74 5797036 71->74 72->73 75 579706c-579706e 72->75 79 57970c8-57970d2 73->79 80 57970ff-57971b9 CreateProcessA 73->80 74->67 77 5797091-5797094 75->77 78 5797070-579707a 75->78 77->73 81 579707c 78->81 82 579707e-579708d 78->82 79->80 83 57970d4-57970d6 79->83 93 57971bb-57971c1 80->93 94 57971c2-5797248 80->94 81->82 82->82 84 579708f 82->84 85 57970f9-57970fc 83->85 86 57970d8-57970e2 83->86 84->77 85->80 88 57970e4 86->88 89 57970e6-57970f5 86->89 88->89 89->89 90 57970f7 89->90 90->85 93->94 104 5797258-579725c 94->104 105 579724a-579724e 94->105 107 579726c-5797270 104->107 108 579725e-5797262 104->108 105->104 106 5797250 105->106 106->104 110 5797280-5797284 107->110 111 5797272-5797276 107->111 108->107 109 5797264 108->109 109->107 113 5797296-579729d 110->113 114 5797286-579728c 110->114 111->110 112 5797278 111->112 112->110 115 579729f-57972ae 113->115 116 57972b4 113->116 114->113 115->116 118 57972b5 116->118 118->118
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 057971A6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID: SLes$SLes
                                                                                  • API String ID: 963392458-3257090266
                                                                                  • Opcode ID: b38b3c962714d588ee96f16c05b606ae592caed339132dab861c532ba23244d3
                                                                                  • Instruction ID: dd606467336dc68152fb9722be1b5919a6b3f3cd4cf1aaf2cbe0ba26b1c6dc7d
                                                                                  • Opcode Fuzzy Hash: b38b3c962714d588ee96f16c05b606ae592caed339132dab861c532ba23244d3
                                                                                  • Instruction Fuzzy Hash: 29914C71D107198FEF18CF68D841BEDBBB2FB45300F1481A9E819A7240DB759985DFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0489C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 119 d0489c-d05da9 CreateActCtxA 122 d05db2-d05e0c 119->122 123 d05dab-d05db1 119->123 130 d05e1b-d05e1f 122->130 131 d05e0e-d05e11 122->131 123->122 132 d05e30 130->132 133 d05e21-d05e2d 130->133 131->130 135 d05e31 132->135 133->132 135->135
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00D05D99
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1345686426.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_d00000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID: SLes
                                                                                  • API String ID: 2289755597-1358607504
                                                                                  • Opcode ID: 0f86c7fe7918eb4ebc4e68e1f253ceddb5f6cc7fbfc565d3a5e508cf6aff295a
                                                                                  • Instruction ID: 99adacc228114a98749005c9873be1b99b017794469ec11e12be765336604186
                                                                                  • Opcode Fuzzy Hash: 0f86c7fe7918eb4ebc4e68e1f253ceddb5f6cc7fbfc565d3a5e508cf6aff295a
                                                                                  • Instruction Fuzzy Hash: B641D270C00B19DFEB25CFA9C8447CEBBB5BF49704F20816AE448AB255DB756945CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D05CDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 136 d05cdc-d05ce3 137 d05cec-d05da9 CreateActCtxA 136->137 139 d05db2-d05e0c 137->139 140 d05dab-d05db1 137->140 147 d05e1b-d05e1f 139->147 148 d05e0e-d05e11 139->148 140->139 149 d05e30 147->149 150 d05e21-d05e2d 147->150 148->147 152 d05e31 149->152 150->149 152->152
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00D05D99
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1345686426.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_d00000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID: SLes
                                                                                  • API String ID: 2289755597-1358607504
                                                                                  • Opcode ID: 80ca5da93e8fa960080b3c7037671d4a71dcf1a1f9f958b239fd5ade3c2ba8d4
                                                                                  • Instruction ID: 3babcc73e3721dc22aaf355f5b28040d1a15c59470f6c01da018fdd114626992
                                                                                  • Opcode Fuzzy Hash: 80ca5da93e8fa960080b3c7037671d4a71dcf1a1f9f958b239fd5ade3c2ba8d4
                                                                                  • Instruction Fuzzy Hash: 3841EF70C00B19CFEB25CFA9C8447CEBBB2BF49304F24806AD458AB295DB756945CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796CE1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 153 5796ce1-5796ce2 154 5796ce9-5796d36 153->154 155 5796ce4-5796ce5 153->155 157 5796d38-5796d44 154->157 158 5796d46-5796d85 WriteProcessMemory 154->158 155->154 157->158 160 5796d8e-5796dbe 158->160 161 5796d87-5796d8d 158->161 161->160
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05796D78
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID: SLes
                                                                                  • API String ID: 3559483778-1358607504
                                                                                  • Opcode ID: 15a89894b40977f4aec82844a0c97cb3c4b710e11c64cf7004d784d915a61bc3
                                                                                  • Instruction ID: 78ffab6e0fd3b2d969c784bfaeca005960183a7eb87522f102f3f30ff46d0ee5
                                                                                  • Opcode Fuzzy Hash: 15a89894b40977f4aec82844a0c97cb3c4b710e11c64cf7004d784d915a61bc3
                                                                                  • Instruction Fuzzy Hash: 5F2155B19003599FDF04CFA9D8847EEBBF1FF49310F10852AE929A7240C7799940DBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796CE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 165 5796ce8-5796d36 168 5796d38-5796d44 165->168 169 5796d46-5796d85 WriteProcessMemory 165->169 168->169 171 5796d8e-5796dbe 169->171 172 5796d87-5796d8d 169->172 172->171
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05796D78
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID: SLes
                                                                                  • API String ID: 3559483778-1358607504
                                                                                  • Opcode ID: e9ec5ed962aef45926758042e8ee1952e26cfd973f367ce8ed474b68205c4c23
                                                                                  • Instruction ID: 3ed22a3437840bcba27efdd421c232f2c08b6761fc6387a1a1439fb33a5b4505
                                                                                  • Opcode Fuzzy Hash: e9ec5ed962aef45926758042e8ee1952e26cfd973f367ce8ed474b68205c4c23
                                                                                  • Instruction Fuzzy Hash: 732169719003599FDF00CFAAC884BDEBBF5FF48310F14842AE919A7240C7789940CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796CE7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 176 5796ce7-5796d36 178 5796d38-5796d44 176->178 179 5796d46-5796d85 WriteProcessMemory 176->179 178->179 181 5796d8e-5796dbe 179->181 182 5796d87-5796d8d 179->182 182->181
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05796D78
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID: SLes
                                                                                  • API String ID: 3559483778-1358607504
                                                                                  • Opcode ID: 75441918d1da2fdb11649e616819d189bc0def5e630902c82cda6e0249085e1e
                                                                                  • Instruction ID: 642b926a34cd1def18003bbbeb3ebdba223bcc9f99e595eacde9cb75818f304b
                                                                                  • Opcode Fuzzy Hash: 75441918d1da2fdb11649e616819d189bc0def5e630902c82cda6e0249085e1e
                                                                                  • Instruction Fuzzy Hash: E62125B69003599FDF00CFA9D9857EEBBF1FF48310F14842AE929A7240D7789954CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 186 5796dd0-5796dd2 187 5796dd9-5796e65 ReadProcessMemory 186->187 188 5796dd4 186->188 191 5796e6e-5796e9e 187->191 192 5796e67-5796e6d 187->192 188->187 192->191
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05796E58
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID: SLes
                                                                                  • API String ID: 1726664587-1358607504
                                                                                  • Opcode ID: 2f96162d76202ecc515123b102bd3ec6227087360b7df580b0157b1763028cd5
                                                                                  • Instruction ID: f35e4b647329f25465ecef5cfd98600affa8428fe741b81843310f37150ab1f6
                                                                                  • Opcode Fuzzy Hash: 2f96162d76202ecc515123b102bd3ec6227087360b7df580b0157b1763028cd5
                                                                                  • Instruction Fuzzy Hash: C92125758002599FDF10CFAAD8807EEBBB5FF48310F14842EE969A7240C7799501DBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796DD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 206 5796dd8-5796e65 ReadProcessMemory 210 5796e6e-5796e9e 206->210 211 5796e67-5796e6d 206->211 211->210
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05796E58
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID: SLes
                                                                                  • API String ID: 1726664587-1358607504
                                                                                  • Opcode ID: e5e122963e988bf92a6e9174d6796c1c22b486be93e2dcc5192203b12cb9be9b
                                                                                  • Instruction ID: 5bc9bded76dd92e38e5abc728bc9184976ccc8bb4a5d9d797011b6776caf4322
                                                                                  • Opcode Fuzzy Hash: e5e122963e988bf92a6e9174d6796c1c22b486be93e2dcc5192203b12cb9be9b
                                                                                  • Instruction Fuzzy Hash: F82125B18003499FDF10CFAAD880BEEBBF5FF48310F54842AE519A7240C7799940CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 196 5796b50-5796b9b 198 5796bab-5796bdb Wow64SetThreadContext 196->198 199 5796b9d-5796ba9 196->199 201 5796bdd-5796be3 198->201 202 5796be4-5796c14 198->202 199->198 201->202
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05796BCE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID: SLes
                                                                                  • API String ID: 983334009-1358607504
                                                                                  • Opcode ID: 5bfc37ee5ffaabfa9a6f5745e9355a9db57014f2f147ce2402877c91160abe1b
                                                                                  • Instruction ID: 61650b59ec44e151d6c1c3cee4dccbfa75c9f491289b63ce31522fc9a3bd475a
                                                                                  • Opcode Fuzzy Hash: 5bfc37ee5ffaabfa9a6f5745e9355a9db57014f2f147ce2402877c91160abe1b
                                                                                  • Instruction Fuzzy Hash: C8214771D043098FDB14CFAAC4857EEBBF4EF88310F24842AD559A7240D778A944CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796C21 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 215 5796c21-5796c22 216 5796c29-5796ca3 VirtualAllocEx 215->216 217 5796c24-5796c26 215->217 220 5796cac-5796cd1 216->220 221 5796ca5-5796cab 216->221 217->216 221->220
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05796C96
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID: SLes
                                                                                  • API String ID: 4275171209-1358607504
                                                                                  • Opcode ID: e35bfb2c9a4b8d9769a21afc917b44ab7ded0b66714bdba4532f347cb8189002
                                                                                  • Instruction ID: 02b305f85c489c25272d0b98bff1cc72fbe199ffbadf6c7fc98b10139f4ef777
                                                                                  • Opcode Fuzzy Hash: e35bfb2c9a4b8d9769a21afc917b44ab7ded0b66714bdba4532f347cb8189002
                                                                                  • Instruction Fuzzy Hash: 0E1167728003098FDF10CFAAD844BEEBBF5EB49310F14882AE519A7250C775A940CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796C28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 235 5796c28-5796ca3 VirtualAllocEx 239 5796cac-5796cd1 235->239 240 5796ca5-5796cab 235->240 240->239
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05796C96
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID: SLes
                                                                                  • API String ID: 4275171209-1358607504
                                                                                  • Opcode ID: 141303a6acdb4522cd2db8386f6a2e0612083f386c001cf081b1a67c47444701
                                                                                  • Instruction ID: dc61a1febe48f4fc51ca7932c39eef556acd552f007a67112a290186ef1b7695
                                                                                  • Opcode Fuzzy Hash: 141303a6acdb4522cd2db8386f6a2e0612083f386c001cf081b1a67c47444701
                                                                                  • Instruction Fuzzy Hash: 0E1137728003499FDF10DFAAD844BDEBBF5EF49310F248829E519A7250C775A540CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796A98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 225 5796a98-5796a9a 226 5796a9c 225->226 227 5796aa1-5796b0f ResumeThread 225->227 226->227 230 5796b18-5796b3d 227->230 231 5796b11-5796b17 227->231 231->230
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID: SLes
                                                                                  • API String ID: 947044025-1358607504
                                                                                  • Opcode ID: 7d2917fe6aa21289514231626bd4c987d0ea9420d3688d6071c1520bc038de0a
                                                                                  • Instruction ID: 61d1d72edf81d2a6e0b21db544cb73154673020873db7cab5146eb8dceeb9c74
                                                                                  • Opcode Fuzzy Hash: 7d2917fe6aa21289514231626bd4c987d0ea9420d3688d6071c1520bc038de0a
                                                                                  • Instruction Fuzzy Hash: 571149B1D042498BDB14DFAAD4447EEBBF5EB48220F248529D469A7380CB759940CBA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0579B869 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 253 579b869-579b8d5 FindCloseChangeNotification 254 579b8de-579b906 253->254 255 579b8d7-579b8dd 253->255 255->254
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNEL32(?), ref: 0579B8C8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID: SLes
                                                                                  • API String ID: 2591292051-1358607504
                                                                                  • Opcode ID: 24b7a41d424600a14c5e242ce9db253693cf97ed4983299bc8131ec4fe12baa8
                                                                                  • Instruction ID: bc8aa125a5bb18a93a8ed7cc75f0a05cfbb30afe898582c1eff8f2c42b7feedc
                                                                                  • Opcode Fuzzy Hash: 24b7a41d424600a14c5e242ce9db253693cf97ed4983299bc8131ec4fe12baa8
                                                                                  • Instruction Fuzzy Hash: 8B1136B58047498FDB10CF99D445BEEBBF4EF88320F21846AD458A7740C379A944CFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796AA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 244 5796aa0-5796b0f ResumeThread 248 5796b18-5796b3d 244->248 249 5796b11-5796b17 244->249 249->248
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID: SLes
                                                                                  • API String ID: 947044025-1358607504
                                                                                  • Opcode ID: 0336ffcfa7336527f8434c582c77ca91e68aa30e09cb7e4f14bc0b18329e2a9f
                                                                                  • Instruction ID: 33149b40d52723acab52b0c97219ca8995fb871f21d6f45157754b31cf65c737
                                                                                  • Opcode Fuzzy Hash: 0336ffcfa7336527f8434c582c77ca91e68aa30e09cb7e4f14bc0b18329e2a9f
                                                                                  • Instruction Fuzzy Hash: D91166B1D003498FDB10DFAAD4447EEFBF4EF88320F24842AD419A7240C779A940CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05796AA2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID: SLes
                                                                                  • API String ID: 947044025-1358607504
                                                                                  • Opcode ID: 2cfe195c0e82f3c07a4f08a5b6f3ce739c57d86ca2db720175c9df755e56a8b7
                                                                                  • Instruction ID: 5cfc49712f9663358813eda68dff234221099348bbddc8126b8c9304983de85d
                                                                                  • Opcode Fuzzy Hash: 2cfe195c0e82f3c07a4f08a5b6f3ce739c57d86ca2db720175c9df755e56a8b7
                                                                                  • Instruction Fuzzy Hash: 001133B1D003498FDB24DFAAD4447EEFBF5AF88320F24842AD419A7240C779A944CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05797E7C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 05799C3D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID: SLes
                                                                                  • API String ID: 410705778-1358607504
                                                                                  • Opcode ID: 54a9fa3430c8ca6263ba7487f1ff596d116f54b44d211bdeb16fb8e7cb89266c
                                                                                  • Instruction ID: 15b00c6d8d2525891f9571b33015457629cbbab05faa6f1696d9ce409bf48ca8
                                                                                  • Opcode Fuzzy Hash: 54a9fa3430c8ca6263ba7487f1ff596d116f54b44d211bdeb16fb8e7cb89266c
                                                                                  • Instruction Fuzzy Hash: FB1133B5804308DFEB10CF9AD845BDEBBF8EB48310F20841AE518A3300C375A940CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0579B870 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNEL32(?), ref: 0579B8C8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID: SLes
                                                                                  • API String ID: 2591292051-1358607504
                                                                                  • Opcode ID: b595d93c037ecc989557da4dbfe628dacee496cd743402e4d8097a833efce6f2
                                                                                  • Instruction ID: 1fe15fa681bba278b607321cc03a1c2b07703d1cbc1be2a5d41fa6a918cfb7de
                                                                                  • Opcode Fuzzy Hash: b595d93c037ecc989557da4dbfe628dacee496cd743402e4d8097a833efce6f2
                                                                                  • Instruction Fuzzy Hash: 2C1133B58043498FDB10CF9AD445BDEBBF4EB48320F20846AD568A7740D378A544CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05799BD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 05799C3D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID: SLes
                                                                                  • API String ID: 410705778-1358607504
                                                                                  • Opcode ID: e694a620da512dd392941fb576f74a7e45474174357abc16b98d51415fb1f076
                                                                                  • Instruction ID: 5e2dc6b9149155aa1200784dd0559b6d9ae24e4e06b6071bf3bbfc455daf8bdc
                                                                                  • Opcode Fuzzy Hash: e694a620da512dd392941fb576f74a7e45474174357abc16b98d51415fb1f076
                                                                                  • Instruction Fuzzy Hash: BF1122B58007499FDB10CF99D985BEEBBF8FB48310F20881AE558A3600C378A540CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0091D294 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1345480812.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_91d000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6238fe8b6828ceea13f6c90831db0cf44ada045e6c4206ccd7825e8161c082d1
                                                                                  • Instruction ID: 0d94842e6cc816fc35a46d003ddc5cdf84f15b0af498575d96ebf21232e829c2
                                                                                  • Opcode Fuzzy Hash: 6238fe8b6828ceea13f6c90831db0cf44ada045e6c4206ccd7825e8161c082d1
                                                                                  • Instruction Fuzzy Hash: 3F210775704348DFDB05DF10D5C0B65BBA5FB84318F24C96DD81A4B282C33AD887CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0091D0DC Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1345480812.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_91d000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67ecacbc414d22aef6202187077ce60907c2b4648c2b07c20487017d8214e61a
                                                                                  • Instruction ID: 3608912ae8ced5eaee9988fd6094b1987ffc45413178ae6ae1e9cf20df9c6897
                                                                                  • Opcode Fuzzy Hash: 67ecacbc414d22aef6202187077ce60907c2b4648c2b07c20487017d8214e61a
                                                                                  • Instruction Fuzzy Hash: 58210771608348EFDB08DF10D9C0B56BB65FB84314F24C56DD8094B296C33AD886CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0091D28F Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1345480812.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_91d000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                  • Instruction ID: df5034cb245abda29bf93d1da23f68fe7fb0bca83fe7397abf88ed66bc073226
                                                                                  • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                  • Instruction Fuzzy Hash: BA119D75604284DFCB06CF14D5C4B55BFB1FB84318F28C6AAD8494B696C33AD88ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 05794360 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 38b8c37249d63e741f47b7051e822bc5a632ce0b46f061b3b4954847d7392467
                                                                                  • Instruction ID: e0667b1d856ea2afa11c1fbbd12c9ca625fd00d2ea6b4b2dee2dc5f321c4ee9a
                                                                                  • Opcode Fuzzy Hash: 38b8c37249d63e741f47b7051e822bc5a632ce0b46f061b3b4954847d7392467
                                                                                  • Instruction Fuzzy Hash: DEE10A74E002198FDF18DF99D580AAEFBB2BF89305F248169E415AB356D730AD42DF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05794BD0 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f3001224732ef6de1ade8d8a697b7d32269a9b69878a207f2d14bb879d53c2d3
                                                                                  • Instruction ID: e812b4e2355016a5446c5d3e4f8e874fbd5fda101ceb25f6e66a5846b2bc1107
                                                                                  • Opcode Fuzzy Hash: f3001224732ef6de1ade8d8a697b7d32269a9b69878a207f2d14bb879d53c2d3
                                                                                  • Instruction Fuzzy Hash: ECE10974E002198FDF18DFA8D580AAEFBB2BF89305F248169E415AB355D730AD42DF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0E240 Relevance: .3, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1345686426.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_d00000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 30a081e3afc8b53ad4b0cc84f8d1cc6e5b11afb7e72f281fcc01f738436e2adb
                                                                                  • Instruction ID: 55494c86f5a3415c37eae64a51d046ae69074174e2d1a29159c1cdcba22102b2
                                                                                  • Opcode Fuzzy Hash: 30a081e3afc8b53ad4b0cc84f8d1cc6e5b11afb7e72f281fcc01f738436e2adb
                                                                                  • Instruction Fuzzy Hash: AED11731D2071A8ADB11EB64D854ADDB3B5FFD5340F10C79AE0093B225EB74AAC9CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05798A90 Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1350465703.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5790000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fb36261b58e61448d1b0e8fc88dc368614bdadab79514dfa27c8dca58206d593
                                                                                  • Instruction ID: cd7e2ae0dd333df9a90667ded197579b1de488cafe1878ecb18793ba5dc44503
                                                                                  • Opcode Fuzzy Hash: fb36261b58e61448d1b0e8fc88dc368614bdadab79514dfa27c8dca58206d593
                                                                                  • Instruction Fuzzy Hash: A731BB71D096688BEF28CF6BDC053DAFAB7AFCA310F04C1EA841CA6255DB7405858F51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:11%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:169
                                                                                  Total number of Limit Nodes:17
                                                                                  execution_graph 38213 15a2b48 38214 15a2b8e GetCurrentProcess 38213->38214 38216 15a2be0 GetCurrentThread 38214->38216 38219 15a2bd9 38214->38219 38217 15a2c1d GetCurrentProcess 38216->38217 38218 15a2c16 38216->38218 38220 15a2c53 38217->38220 38218->38217 38219->38216 38221 15a2c7b GetCurrentThreadId 38220->38221 38222 15a2cac 38221->38222 38223 182d030 38224 182d048 38223->38224 38225 182d0a2 38224->38225 38232 15ad568 38224->38232 38236 15aa784 38224->38236 38245 15aa6a7 38224->38245 38255 15ad557 38224->38255 38259 15ae6b8 38224->38259 38268 15aa708 38224->38268 38233 15ad58e 38232->38233 38234 15aa784 CallWindowProcW 38233->38234 38235 15ad5af 38234->38235 38235->38225 38237 15aa78f 38236->38237 38238 15ae729 38237->38238 38240 15ae719 38237->38240 38294 15aa8ac 38238->38294 38278 15ae91c 38240->38278 38284 15ae850 38240->38284 38289 15ae840 38240->38289 38241 15ae727 38248 15aa6bb 38245->38248 38246 15aa6d9 38246->38225 38247 15ae729 38249 15aa8ac CallWindowProcW 38247->38249 38248->38246 38248->38247 38251 15ae719 38248->38251 38250 15ae727 38249->38250 38252 15ae91c CallWindowProcW 38251->38252 38253 15ae850 CallWindowProcW 38251->38253 38254 15ae840 CallWindowProcW 38251->38254 38252->38250 38253->38250 38254->38250 38256 15ad58e 38255->38256 38257 15aa784 CallWindowProcW 38256->38257 38258 15ad5af 38257->38258 38258->38225 38260 15ae6c8 38259->38260 38261 15ae729 38260->38261 38263 15ae719 38260->38263 38262 15aa8ac CallWindowProcW 38261->38262 38264 15ae727 38262->38264 38265 15ae91c CallWindowProcW 38263->38265 38266 15ae850 CallWindowProcW 38263->38266 38267 15ae840 CallWindowProcW 38263->38267 38265->38264 38266->38264 38267->38264 38269 15aa70d 38268->38269 38270 15aa72e 38269->38270 38271 15ae729 38269->38271 38273 15ae719 38269->38273 38270->38225 38272 15aa8ac CallWindowProcW 38271->38272 38274 15ae727 38272->38274 38275 15ae91c CallWindowProcW 38273->38275 38276 15ae850 CallWindowProcW 38273->38276 38277 15ae840 CallWindowProcW 38273->38277 38275->38274 38276->38274 38277->38274 38279 15ae8da 38278->38279 38280 15ae92a 38278->38280 38298 15ae908 38279->38298 38301 15ae8f8 38279->38301 38281 15ae8f0 38281->38241 38285 15ae864 38284->38285 38287 15ae908 CallWindowProcW 38285->38287 38288 15ae8f8 CallWindowProcW 38285->38288 38286 15ae8f0 38286->38241 38287->38286 38288->38286 38291 15ae864 38289->38291 38290 15ae8f0 38290->38241 38292 15ae908 CallWindowProcW 38291->38292 38293 15ae8f8 CallWindowProcW 38291->38293 38292->38290 38293->38290 38295 15aa8b7 38294->38295 38296 15afb8a CallWindowProcW 38295->38296 38297 15afb39 38295->38297 38296->38297 38297->38241 38299 15ae919 38298->38299 38304 15afac0 38298->38304 38299->38281 38302 15ae919 38301->38302 38303 15afac0 CallWindowProcW 38301->38303 38302->38281 38303->38302 38305 15aa8ac CallWindowProcW 38304->38305 38306 15afada 38305->38306 38306->38299 38100 18c0848 38102 18c0849 38100->38102 38101 18c091b 38102->38101 38106 18c1383 38102->38106 38110 15a1e30 38102->38110 38114 15a1e40 38102->38114 38108 18c1396 38106->38108 38107 18c1484 38107->38102 38108->38107 38118 18c7eb0 38108->38118 38111 15a1e40 38110->38111 38131 15a1a30 38111->38131 38115 15a1e45 38114->38115 38116 15a1a30 3 API calls 38115->38116 38117 15a1e70 38116->38117 38117->38102 38119 18c7eba 38118->38119 38120 18c7ed4 38119->38120 38123 6ddfa11 38119->38123 38127 6ddfa20 38119->38127 38120->38108 38124 6ddfa20 38123->38124 38125 6ddfc46 38124->38125 38126 6ddfc61 GlobalMemoryStatusEx GlobalMemoryStatusEx 38124->38126 38125->38120 38126->38124 38128 6ddfa25 38127->38128 38129 6ddfc46 38128->38129 38130 6ddfc61 GlobalMemoryStatusEx GlobalMemoryStatusEx 38128->38130 38129->38120 38130->38128 38132 15a1a3b 38131->38132 38135 15a29ec 38132->38135 38134 15a33f6 38134->38134 38136 15a29f7 38135->38136 38137 15a3b1c 38136->38137 38140 15a57a8 38136->38140 38144 15a578e 38136->38144 38137->38134 38141 15a57c9 38140->38141 38142 15a57ed 38141->38142 38148 15a5958 38141->38148 38142->38137 38145 15a57c9 38144->38145 38146 15a57ed 38145->38146 38147 15a5958 3 API calls 38145->38147 38146->38137 38147->38146 38149 15a5965 38148->38149 38150 15a599e 38149->38150 38152 15a443c 38149->38152 38150->38142 38153 15a4447 38152->38153 38155 15a5a10 38153->38155 38156 15a4470 38153->38156 38155->38155 38157 15a447b 38156->38157 38163 15a4480 38157->38163 38159 15a5a7f 38167 15aaf18 38159->38167 38176 15aaf00 38159->38176 38160 15a5ab9 38160->38155 38166 15a448b 38163->38166 38164 15a6e80 38164->38159 38165 15a57a8 3 API calls 38165->38164 38166->38164 38166->38165 38169 15aaf49 38167->38169 38170 15ab049 38167->38170 38168 15aaf55 38168->38160 38169->38168 38184 15ab18e 38169->38184 38187 15ab190 38169->38187 38170->38160 38171 15aaf95 38190 15ac490 38171->38190 38194 15ac481 38171->38194 38177 15aaf18 38176->38177 38179 15aaf55 38177->38179 38180 15ab18e 2 API calls 38177->38180 38181 15ab190 2 API calls 38177->38181 38178 15aaf95 38182 15ac490 CreateWindowExW 38178->38182 38183 15ac481 CreateWindowExW 38178->38183 38179->38160 38180->38178 38181->38178 38182->38179 38183->38179 38185 15ab19a 38184->38185 38198 15ab1d0 38184->38198 38185->38171 38189 15ab1d0 2 API calls 38187->38189 38188 15ab19a 38188->38171 38189->38188 38191 15ac4bb 38190->38191 38192 15ac56a 38191->38192 38206 15ad350 38191->38206 38195 15ac490 38194->38195 38196 15ac56a 38195->38196 38197 15ad350 CreateWindowExW 38195->38197 38197->38196 38199 15ab1d5 38198->38199 38200 15ab214 38199->38200 38204 15ab46a LoadLibraryExW 38199->38204 38205 15ab478 LoadLibraryExW 38199->38205 38200->38185 38201 15ab20c 38201->38200 38202 15ab418 GetModuleHandleW 38201->38202 38203 15ab445 38202->38203 38203->38185 38204->38201 38205->38201 38207 15ad366 38206->38207 38208 15ad39e CreateWindowExW 38206->38208 38207->38192 38210 15ad4d4 38208->38210 38211 15a2d90 DuplicateHandle 38212 15a2e26 38211->38212

                                                                                  Executed Functions

                                                                                  Function 06DD55A8 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 564 6dd55a8-6dd55c5 565 6dd55c7-6dd55ca 564->565 566 6dd55d0-6dd55d3 565->566 567 6dd5653-6dd5659 565->567 568 6dd55d5-6dd55db 566->568 569 6dd55e2-6dd55e5 566->569 570 6dd565f 567->570 571 6dd571e-6dd5728 567->571 572 6dd55dd 568->572 573 6dd55e7-6dd55ea 568->573 569->573 574 6dd55ef-6dd55f2 569->574 575 6dd5664-6dd5667 570->575 576 6dd572f-6dd5731 571->576 572->569 573->574 577 6dd55f4-6dd5601 574->577 578 6dd5606-6dd5609 574->578 579 6dd569f-6dd56a2 575->579 580 6dd5669-6dd566f 575->580 583 6dd5736-6dd5739 576->583 577->578 581 6dd5618-6dd561b 578->581 582 6dd560b-6dd5611 578->582 584 6dd56ae-6dd56b1 579->584 585 6dd56a4-6dd56ad 579->585 586 6dd577f-6dd57ab 580->586 587 6dd5675-6dd567d 580->587 590 6dd561d-6dd5620 581->590 591 6dd5625-6dd5628 581->591 582->580 589 6dd5613 582->589 583->582 592 6dd573f-6dd5742 583->592 593 6dd56bf-6dd56c2 584->593 594 6dd56b3-6dd56ba 584->594 613 6dd57b5-6dd57b8 586->613 587->586 588 6dd5683-6dd5690 587->588 588->586 598 6dd5696-6dd569a 588->598 589->581 590->591 601 6dd564e-6dd5651 591->601 602 6dd562a-6dd5649 591->602 599 6dd575f-6dd5761 592->599 600 6dd5744-6dd575a 592->600 596 6dd56ca-6dd56cd 593->596 597 6dd56c4-6dd56c5 593->597 594->593 604 6dd56cf-6dd56d1 596->604 605 6dd56d4-6dd56d7 596->605 597->596 598->579 606 6dd5768-6dd576b 599->606 607 6dd5763 599->607 600->599 601->567 601->575 602->601 604->605 608 6dd56d9-6dd56eb 605->608 609 6dd56f0-6dd56f3 605->609 606->565 612 6dd5771-6dd577e 606->612 607->606 608->609 616 6dd5709-6dd570c 609->616 617 6dd56f5-6dd5704 609->617 614 6dd57ba-6dd57cb 613->614 615 6dd57d0-6dd57d3 613->615 614->615 618 6dd57d5-6dd57dc 615->618 619 6dd57e7-6dd57ea 615->619 622 6dd570e-6dd5712 616->622 623 6dd5719-6dd571c 616->623 617->616 625 6dd5892-6dd5899 618->625 626 6dd57e2 618->626 627 6dd57ec-6dd57f3 619->627 628 6dd57f4-6dd57f7 619->628 622->612 630 6dd5714 622->630 623->571 623->583 626->619 631 6dd57f9-6dd5803 628->631 632 6dd5808-6dd580b 628->632 630->623 631->632 633 6dd580d-6dd5811 632->633 634 6dd5829-6dd582c 632->634 638 6dd589a-6dd58d4 633->638 639 6dd5817-6dd581f 633->639 635 6dd582e-6dd5832 634->635 636 6dd5846-6dd5849 634->636 635->638 640 6dd5834-6dd583c 635->640 641 6dd584b-6dd584f 636->641 642 6dd5863-6dd5866 636->642 655 6dd58d6-6dd58d9 638->655 639->638 643 6dd5821-6dd5824 639->643 640->638 645 6dd583e-6dd5841 640->645 641->638 646 6dd5851-6dd5859 641->646 647 6dd5868-6dd586c 642->647 648 6dd5880-6dd5882 642->648 643->634 645->636 646->638 649 6dd585b-6dd585e 646->649 647->638 650 6dd586e-6dd5876 647->650 651 6dd5889-6dd588c 648->651 652 6dd5884 648->652 649->642 650->638 654 6dd5878-6dd587b 650->654 651->613 651->625 652->651 654->648 656 6dd58db-6dd58ec 655->656 657 6dd58f7-6dd58fa 655->657 665 6dd5cab-6dd5cb2 656->665 666 6dd58f2 656->666 658 6dd58fc-6dd58ff 657->658 659 6dd5926-6dd5aba 657->659 661 6dd591d-6dd5920 658->661 662 6dd5901-6dd5912 658->662 714 6dd5ac0-6dd5ac7 659->714 715 6dd5bf3-6dd5c06 659->715 661->659 663 6dd5c09-6dd5c0c 661->663 662->665 676 6dd5918 662->676 668 6dd5c0e-6dd5c15 663->668 669 6dd5c1a-6dd5c1d 663->669 667 6dd5cb7-6dd5cb9 665->667 666->657 674 6dd5cbb 667->674 675 6dd5cc0-6dd5cc3 667->675 668->669 671 6dd5c1f-6dd5c32 669->671 672 6dd5c35-6dd5c38 669->672 672->659 677 6dd5c3e-6dd5c41 672->677 674->675 675->655 678 6dd5cc9-6dd5cd2 675->678 676->661 680 6dd5c5f-6dd5c62 677->680 681 6dd5c43-6dd5c54 677->681 683 6dd5c7c-6dd5c7f 680->683 684 6dd5c64-6dd5c75 680->684 681->662 691 6dd5c5a 681->691 687 6dd5c89-6dd5c8c 683->687 688 6dd5c81-6dd5c86 683->688 684->671 694 6dd5c77 684->694 689 6dd5c8e-6dd5c9f 687->689 690 6dd5ca6-6dd5ca9 687->690 688->687 689->665 696 6dd5ca1 689->696 690->665 690->667 691->680 694->683 696->690 716 6dd5acd-6dd5b00 714->716 717 6dd5b7b-6dd5b82 714->717 728 6dd5b05-6dd5b46 716->728 729 6dd5b02 716->729 717->715 718 6dd5b84-6dd5bb7 717->718 730 6dd5bbc-6dd5be9 718->730 731 6dd5bb9 718->731 739 6dd5b5e-6dd5b65 728->739 740 6dd5b48-6dd5b59 728->740 729->728 730->678 731->730 742 6dd5b6d-6dd5b6f 739->742 740->678 742->678
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $
                                                                                  • API String ID: 0-3993045852
                                                                                  • Opcode ID: db8ce362d3d01be755f40b2c2fcff76d8edac37b1ab3f9b624ba564e126228fe
                                                                                  • Instruction ID: 0c9a0eba2b42f79aaab0e569a9564ce718bab77fd71166b64dc62a6ab3539a7a
                                                                                  • Opcode Fuzzy Hash: db8ce362d3d01be755f40b2c2fcff76d8edac37b1ab3f9b624ba564e126228fe
                                                                                  • Instruction Fuzzy Hash: 1622B175F002159FDF64EBA8E5806AEBBB2EF85310F24856AD416EB384DB35DC41CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD2370 Relevance: 1.0, Instructions: 1006COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eb7e7e51c0a4ac99fb068cdcfd609e68a737999b1f5fd4be22a6eef164c93265
                                                                                  • Instruction ID: fe696b3dd6a119cda79a1e3930eb41e0367baa93980b703368d7ec04ce106f95
                                                                                  • Opcode Fuzzy Hash: eb7e7e51c0a4ac99fb068cdcfd609e68a737999b1f5fd4be22a6eef164c93265
                                                                                  • Instruction Fuzzy Hash: EE926834E002048FDB64EF68C588A6DBBF2EF49315F5588AAD509EB361DB35ED41CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD65E8 Relevance: .8, Instructions: 816COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 94bb3fb198dd5e3ef10c8c857da0307aab697b07c718025669a59d989aba9ace
                                                                                  • Instruction ID: 19fa51f6c74d802ac8be32aa0a4bd5fbcb821e3e55e834eccada04e877cae8f0
                                                                                  • Opcode Fuzzy Hash: 94bb3fb198dd5e3ef10c8c857da0307aab697b07c718025669a59d989aba9ace
                                                                                  • Instruction Fuzzy Hash: 7B628C34B002459FDB54EB68D994AADB7F2EF88354F148469E40AEB390DB35ED42CBD0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDC170 Relevance: .6, Instructions: 641COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 60d6b94aa4528004362e581c607b33f7c8e7fd5d13dce581549944ff3f83144e
                                                                                  • Instruction ID: 18878b43673b0710b5502ae987d11a127739ed1628ddeb392964f60a0cbdb9a9
                                                                                  • Opcode Fuzzy Hash: 60d6b94aa4528004362e581c607b33f7c8e7fd5d13dce581549944ff3f83144e
                                                                                  • Instruction Fuzzy Hash: 9F328134B102059FDF54EB68E894BAEB7BAFB88310F148929D509E7351DB35EC41CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDB220 Relevance: .6, Instructions: 568COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0fa0011902fa512a50128675278fd8c3aa82f5f7ef486e676b4b4cbcfa028781
                                                                                  • Instruction ID: 4b17c835a11bf050b0517981e6e7d772003380812976ac31ecd04f62c44e8b31
                                                                                  • Opcode Fuzzy Hash: 0fa0011902fa512a50128675278fd8c3aa82f5f7ef486e676b4b4cbcfa028781
                                                                                  • Instruction Fuzzy Hash: B622A4B0F002099BEF60EB5DD4907ADB7B2FB89318F658527D445EB391CA35DC818B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3060 Relevance: .5, Instructions: 545COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d168dbaef9bd2792120012a1d22471f918d750151c1bceaccf7d7c5967bb881b
                                                                                  • Instruction ID: a185dd4ca119b54fa2a22950457a74b80fd1050960ca4f40357b0a06ba1dab60
                                                                                  • Opcode Fuzzy Hash: d168dbaef9bd2792120012a1d22471f918d750151c1bceaccf7d7c5967bb881b
                                                                                  • Instruction Fuzzy Hash: 57323E30E10719CBDB15EF69D8945ADB7B2FFC9300F51C6AAD409AB250EB30AD85CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD7D78 Relevance: .5, Instructions: 479COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e10dafb3c5b2cebd75bf5eb800b1d4903c5c1122f9c1c85fb319256d6c2dc90f
                                                                                  • Instruction ID: 74a741b4add39084d3ef3e6c422793994665fde28a78e624ad0b4c0d83488b9d
                                                                                  • Opcode Fuzzy Hash: e10dafb3c5b2cebd75bf5eb800b1d4903c5c1122f9c1c85fb319256d6c2dc90f
                                                                                  • Instruction Fuzzy Hash: 82028A30B002059FDB55EB69E894BAEB7B2FF88310F148569D805EB394DB75ED42CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015A2B3A Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 015A2BC6
                                                                                  • GetCurrentThread.KERNEL32 ref: 015A2C03
                                                                                  • GetCurrentProcess.KERNEL32 ref: 015A2C40
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 015A2C99
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: b2e3b6e0bd17fe5349a9b1beac3e7e2c634838ada861270d2b86789a10a35301
                                                                                  • Instruction ID: 6da3a22fc2daed16388a68a3250e9f842409392ada82885a3db38ec27ae6917b
                                                                                  • Opcode Fuzzy Hash: b2e3b6e0bd17fe5349a9b1beac3e7e2c634838ada861270d2b86789a10a35301
                                                                                  • Instruction Fuzzy Hash: C25155B09003498FEB14CFAAD948B9EBBF1FB48314F20845EE418AB290D7755944CF66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015A2B48 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 015A2BC6
                                                                                  • GetCurrentThread.KERNEL32 ref: 015A2C03
                                                                                  • GetCurrentProcess.KERNEL32 ref: 015A2C40
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 015A2C99
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: 99a627700abff86c66bdbe0de88df722a1b7f83ec5c442ddd168b5022a8218a6
                                                                                  • Instruction ID: 7ae228ee649858402d36ac952a2901b445f04e4f524c6e4a51298045bc04e402
                                                                                  • Opcode Fuzzy Hash: 99a627700abff86c66bdbe0de88df722a1b7f83ec5c442ddd168b5022a8218a6
                                                                                  • Instruction Fuzzy Hash: D75154B09007498FEB18CFAAD948B9EBBF1BB48314F20845DE419AB390D7749944CF66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AB1D0 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 743 15ab1d0-15ab1ef 745 15ab21b-15ab21f 743->745 746 15ab1f1-15ab1fe call 15aa5a4 743->746 747 15ab233-15ab274 745->747 748 15ab221-15ab22b 745->748 751 15ab200 746->751 752 15ab214 746->752 755 15ab281-15ab28f 747->755 756 15ab276-15ab27e 747->756 748->747 799 15ab206 call 15ab46a 751->799 800 15ab206 call 15ab478 751->800 752->745 758 15ab2b3-15ab2b5 755->758 759 15ab291-15ab296 755->759 756->755 757 15ab20c-15ab20e 757->752 760 15ab350-15ab410 757->760 761 15ab2b8-15ab2bf 758->761 762 15ab298-15ab29f call 15aa5b0 759->762 763 15ab2a1 759->763 794 15ab418-15ab443 GetModuleHandleW 760->794 795 15ab412-15ab415 760->795 766 15ab2cc-15ab2d3 761->766 767 15ab2c1-15ab2c9 761->767 765 15ab2a3-15ab2b1 762->765 763->765 765->761 769 15ab2e0-15ab2e9 call 15a375c 766->769 770 15ab2d5-15ab2dd 766->770 767->766 775 15ab2eb-15ab2f3 769->775 776 15ab2f6-15ab2fb 769->776 770->769 775->776 777 15ab319-15ab326 776->777 778 15ab2fd-15ab304 776->778 785 15ab328-15ab346 777->785 786 15ab349-15ab34f 777->786 778->777 780 15ab306-15ab316 call 15a8bc0 call 15aa5c0 778->780 780->777 785->786 796 15ab44c-15ab460 794->796 797 15ab445-15ab44b 794->797 795->794 797->796 799->757 800->757
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 015AB436
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 4b24db8ceb73b79a1546e262fcaa841100f39aa062ed2eb9124902b558383aaa
                                                                                  • Instruction ID: 8f31afbaa4e4207bc8451eabb31775a832366a6053dbbbc9498d950c1318f067
                                                                                  • Opcode Fuzzy Hash: 4b24db8ceb73b79a1546e262fcaa841100f39aa062ed2eb9124902b558383aaa
                                                                                  • Instruction Fuzzy Hash: 938135B0A00B058FEB24DF6AD04475EBBF1FF88210F508A2ED48ADBA40D775E945CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AD350 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 801 15ad350-15ad364 802 15ad39e-15ad416 801->802 803 15ad366-15ad390 call 15aa75c 801->803 806 15ad418-15ad41e 802->806 807 15ad421-15ad428 802->807 808 15ad395-15ad396 803->808 806->807 809 15ad42a-15ad430 807->809 810 15ad433-15ad4d2 CreateWindowExW 807->810 809->810 812 15ad4db-15ad513 810->812 813 15ad4d4-15ad4da 810->813 817 15ad520 812->817 818 15ad515-15ad518 812->818 813->812 819 15ad521 817->819 818->817 819->819
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 01f249c43b6854681e7820bb428367f81e2b294afdbf2d9edcdfa04c2be67211
                                                                                  • Instruction ID: 140261309d25b5ca61bcccbb54958e2d8e840feb930481c6770845ff1d80f458
                                                                                  • Opcode Fuzzy Hash: 01f249c43b6854681e7820bb428367f81e2b294afdbf2d9edcdfa04c2be67211
                                                                                  • Instruction Fuzzy Hash: 6651FFB1D00349AFDF15CFA9C984ADEBFB2BF48310F54816AE908AB620D3719855CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AD3B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 820 15ad3b0-15ad416 821 15ad418-15ad41e 820->821 822 15ad421-15ad428 820->822 821->822 823 15ad42a-15ad430 822->823 824 15ad433-15ad46b 822->824 823->824 825 15ad473-15ad4d2 CreateWindowExW 824->825 826 15ad4db-15ad513 825->826 827 15ad4d4-15ad4da 825->827 831 15ad520 826->831 832 15ad515-15ad518 826->832 827->826 833 15ad521 831->833 832->831 833->833
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015AD4C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 1415cb0459ed265956868c8518ed8e90ebf2595e037873873ec2ad2076290546
                                                                                  • Instruction ID: 357d9c4e80be33e8cbfbd7c09f6a8ca5ca63fb9a98b625801fa691ea57d18c04
                                                                                  • Opcode Fuzzy Hash: 1415cb0459ed265956868c8518ed8e90ebf2595e037873873ec2ad2076290546
                                                                                  • Instruction Fuzzy Hash: A741B2B1D003099FEB14DF9AD984ADEBFB5BF48310F64812AE819AB250D775A845CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AA8AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 834 15aa8ac-15afb2c 837 15afbdc-15afbfc call 15aa784 834->837 838 15afb32-15afb37 834->838 846 15afbff-15afc0c 837->846 840 15afb8a-15afbc2 CallWindowProcW 838->840 841 15afb39-15afb70 838->841 842 15afbcb-15afbda 840->842 843 15afbc4-15afbca 840->843 847 15afb79-15afb88 841->847 848 15afb72-15afb78 841->848 842->846 843->842 847->846 848->847
                                                                                  APIs
                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 015AFBB1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallProcWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2714655100-0
                                                                                  • Opcode ID: c8aef0a87028634972f7db17da198e8193003e91e15b4e160b64c56ce4bc9abf
                                                                                  • Instruction ID: 8dcc1e5c1870a073bfe28543a7e17caa6734ea54ee820850a8e052baf0f82d87
                                                                                  • Opcode Fuzzy Hash: c8aef0a87028634972f7db17da198e8193003e91e15b4e160b64c56ce4bc9abf
                                                                                  • Instruction Fuzzy Hash: 1C4117B4900309DFDB14CF99C488AAEBBF5FB88314F24C859E519AB321D774A841CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015A2D88 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 851 15a2d88-15a2e24 DuplicateHandle 852 15a2e2d-15a2e4a 851->852 853 15a2e26-15a2e2c 851->853 853->852
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015A2E17
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: e89cad4627f7b47073b36bb03393e014e80136b3158dab335dcdee5619da5a9d
                                                                                  • Instruction ID: 50fbd846f1e12bab9711f3643acede62a4b735cdea28b052f05071ca15752646
                                                                                  • Opcode Fuzzy Hash: e89cad4627f7b47073b36bb03393e014e80136b3158dab335dcdee5619da5a9d
                                                                                  • Instruction Fuzzy Hash: 3021D2B5D003099FDB10CFAAD585AEEBBF4FB48320F14846AE914A7350D378A954CF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015A2D90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 856 15a2d90-15a2e24 DuplicateHandle 857 15a2e2d-15a2e4a 856->857 858 15a2e26-15a2e2c 856->858 858->857
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015A2E17
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: e064e4b440a52b6d32b6aedbdf434c83f5905efc322d7a09da2bb1f2750b3872
                                                                                  • Instruction ID: 880d2f9a2765ed4b99a175a0157fb2a8b94bb8e85783ee3febf09a3d7f0791f3
                                                                                  • Opcode Fuzzy Hash: e064e4b440a52b6d32b6aedbdf434c83f5905efc322d7a09da2bb1f2750b3872
                                                                                  • Instruction Fuzzy Hash: 5521E4B59003099FDB10CF9AD584ADEBBF4FB48320F14841AE914A7350D374A950CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 018CEB40 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 876 18ceb40-18cebbc GlobalMemoryStatusEx 879 18cebbe-18cebc4 876->879 880 18cebc5-18cebed 876->880 879->880
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 018CEBAF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2576852846.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_18c0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1890195054-0
                                                                                  • Opcode ID: 942bbd53b45792da82258bbeebaf06e9af9141f3540cfbd7dffc2e29c60540b9
                                                                                  • Instruction ID: 244ed7d0fdf2a51d34538fd96fcd272b4bb56c6c2a3137447ac079e518a0d5b2
                                                                                  • Opcode Fuzzy Hash: 942bbd53b45792da82258bbeebaf06e9af9141f3540cfbd7dffc2e29c60540b9
                                                                                  • Instruction Fuzzy Hash: BB1103B2C006599FDB10CF9AC544BDEFBB4AF48320F15816AE918B7240D378A954CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AA5E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 861 15aa5e8-15ab678 863 15ab67a-15ab67d 861->863 864 15ab680-15ab6af LoadLibraryExW 861->864 863->864 865 15ab6b8-15ab6d5 864->865 866 15ab6b1-15ab6b7 864->866 866->865
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015AB4B1,00000800,00000000,00000000), ref: 015AB6A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 0c4c6b071098bae9c64fc3ab9e77eac989dd12b170efacd4be8038a9a9bb5156
                                                                                  • Instruction ID: 13d5d557a2ff279c57c2930cac917872c3b1ca82a9b4ad697e3b09fe716be462
                                                                                  • Opcode Fuzzy Hash: 0c4c6b071098bae9c64fc3ab9e77eac989dd12b170efacd4be8038a9a9bb5156
                                                                                  • Instruction Fuzzy Hash: E81114B69003099FDB10CF9AD844ADEFBF4FB58310F14842EE919AB200C375A545CFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AB632 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 869 15ab632-15ab678 870 15ab67a-15ab67d 869->870 871 15ab680-15ab6af LoadLibraryExW 869->871 870->871 872 15ab6b8-15ab6d5 871->872 873 15ab6b1-15ab6b7 871->873 873->872
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015AB4B1,00000800,00000000,00000000), ref: 015AB6A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: a31e74a94bc7cdd8edb9c09f25de90b00db387d1213cd424c1bd39e2b9632617
                                                                                  • Instruction ID: e8ebd38b3107c96f3af604c4004acaed14ba1e208d7243b9c2e98366a69d4b63
                                                                                  • Opcode Fuzzy Hash: a31e74a94bc7cdd8edb9c09f25de90b00db387d1213cd424c1bd39e2b9632617
                                                                                  • Instruction Fuzzy Hash: 5521F2B68003098FDB20CF9AD444AEEFBF4BB88320F10842ED419A7600C375A545CFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 018CEB48 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 883 18ceb48-18cebbc GlobalMemoryStatusEx 885 18cebbe-18cebc4 883->885 886 18cebc5-18cebed 883->886 885->886
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 018CEBAF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2576852846.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_18c0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1890195054-0
                                                                                  • Opcode ID: a6febd69d09f2388e5f6cfa71b8bb693bff7c7a0bd5e7e3bb65321ed5447af7f
                                                                                  • Instruction ID: 0c03afdaf33763041f0395548531f7ff6e50ff2dfb48b0e46d3c6fd8cbf327db
                                                                                  • Opcode Fuzzy Hash: a6febd69d09f2388e5f6cfa71b8bb693bff7c7a0bd5e7e3bb65321ed5447af7f
                                                                                  • Instruction Fuzzy Hash: CE11E4B1C006599BDB10CF9AD544BDEFBF4AF48320F15816AD918B7240D378A954CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015AB3D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 889 15ab3d0-15ab410 890 15ab418-15ab443 GetModuleHandleW 889->890 891 15ab412-15ab415 889->891 892 15ab44c-15ab460 890->892 893 15ab445-15ab44b 890->893 891->890 893->892
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 015AB436
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2575510541.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_15a0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: bc7c3247efb47c150dac2f5ded66c71c66a2facc07fb7ed19f2fa763fd824a51
                                                                                  • Instruction ID: 7b134ba851c01a411d4691bb62c3ab1c3fd23b25b120df06496291b7dd833bf6
                                                                                  • Opcode Fuzzy Hash: bc7c3247efb47c150dac2f5ded66c71c66a2facc07fb7ed19f2fa763fd824a51
                                                                                  • Instruction Fuzzy Hash: 02110CB6C002498FDB20CF9AD444A9EFBF5AF88220F14842AD928B7200D379A545CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDCF28 Relevance: .8, Instructions: 805COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9ecdafa927286c73cbca9120d2eb8f38070ebe782620d6940b64580c71ebe41b
                                                                                  • Instruction ID: 71ebc07046afe2fde9db1a991c93e559c70aa5536cbdc3e0814ee439d63df086
                                                                                  • Opcode Fuzzy Hash: 9ecdafa927286c73cbca9120d2eb8f38070ebe782620d6940b64580c71ebe41b
                                                                                  • Instruction Fuzzy Hash: 49624770B0030ACFDB55EB68E990A5DB7E6FF88350B208A68D0059F355DB35ED86CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDB648 Relevance: .5, Instructions: 469COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ace8028c6f6faa846f2583125b987d95912caa3eb6ea82c4bf630bf02f71b2a5
                                                                                  • Instruction ID: e6faaec26e52262816adf12dfff9d9234f2956c5f5bfe05176b59bb06d537bcf
                                                                                  • Opcode Fuzzy Hash: ace8028c6f6faa846f2583125b987d95912caa3eb6ea82c4bf630bf02f71b2a5
                                                                                  • Instruction Fuzzy Hash: 04027DB0E002099FDBA4EB68D4807ADB7B2FB49318F16852BD445EB381DB75EC41CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDACC8 Relevance: .4, Instructions: 395COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dbc537445c16834a9092ed284759e66cecbb9683b1cf41f5dd4e9ed158b77f6c
                                                                                  • Instruction ID: b4a02025350fa0085226bb5fba8c47b1a43de39c9b900941a1f407a5af2e79c5
                                                                                  • Opcode Fuzzy Hash: dbc537445c16834a9092ed284759e66cecbb9683b1cf41f5dd4e9ed158b77f6c
                                                                                  • Instruction Fuzzy Hash: 03E16C70F102098FDB65EBA8D4846AEB7B6FF88310F24852AD805EB344DB75DD46CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD9148 Relevance: .2, Instructions: 231COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a57a5a9228c4d22d61aba2c98fc4d6c02208f36f61845a7cc18dffd6f82ddcc8
                                                                                  • Instruction ID: 21e71e4795406d75365ecb022a2ea63a6134aaaae0d746d8b253a5c59a73f771
                                                                                  • Opcode Fuzzy Hash: a57a5a9228c4d22d61aba2c98fc4d6c02208f36f61845a7cc18dffd6f82ddcc8
                                                                                  • Instruction Fuzzy Hash: C9913E31B102098BDB54DB69D860BAEB7B6FFC8300F5485A9D809EB384EB759D418B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD61E8 Relevance: .2, Instructions: 229COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5d7c65ac4b7fac33b90e253e2df348e23ba738056697aed47900d4fbfb376806
                                                                                  • Instruction ID: 89f1ce8926d836aad16c42112ef3e23b2a280b3e3d8ade4a096d6764e70807e5
                                                                                  • Opcode Fuzzy Hash: 5d7c65ac4b7fac33b90e253e2df348e23ba738056697aed47900d4fbfb376806
                                                                                  • Instruction Fuzzy Hash: B261C471F001114BDF61AB7EC99466EBAE7AFD4620F194039D80AEB364DEB5DC0287D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD42A0 Relevance: .2, Instructions: 226COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2167ea1333640dfc7ec50e1461d6b33688520e3b1a3369f0c603239ef9b7807a
                                                                                  • Instruction ID: 2445ae17673240e31fc78715608182043da2d28f58f742add2a9c06d7d63cd8d
                                                                                  • Opcode Fuzzy Hash: 2167ea1333640dfc7ec50e1461d6b33688520e3b1a3369f0c603239ef9b7807a
                                                                                  • Instruction Fuzzy Hash: 2F816030B002098BDF55DFA9D4A47AEB7F2AF89300F108569D40AEB394EB75DC428B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD45C0 Relevance: .2, Instructions: 221COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 23a44b8283f1a6989195eaba15e62b3a161954ac1b3293491e363818e455130f
                                                                                  • Instruction ID: 905cc86a6c426aba20965332ead4c2401bca1b60fc4112030098a09278a13435
                                                                                  • Opcode Fuzzy Hash: 23a44b8283f1a6989195eaba15e62b3a161954ac1b3293491e363818e455130f
                                                                                  • Instruction Fuzzy Hash: 92913E30E002199FDF60DF68C890B9DBBB1FF89310F208599D549AB295DB71AA85CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD45D8 Relevance: .2, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5c4e8dfa5ca531cdfc3edbe4b3b573ca3359a883f99773035d9fd54521f5898b
                                                                                  • Instruction ID: a298f1d32de665ba3a944ff4218bff634828b2ddfb06440bb368e27dd7e7ffb4
                                                                                  • Opcode Fuzzy Hash: 5c4e8dfa5ca531cdfc3edbe4b3b573ca3359a883f99773035d9fd54521f5898b
                                                                                  • Instruction Fuzzy Hash: 7E913C30E106199BDF60DF68C890BDDB7B1FF89310F208699D549BB284DB71AA85CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDEAE8 Relevance: .2, Instructions: 209COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3df4aedf9861bc55b666311628599090b077351d890ac0a6f2266e27e222ebdd
                                                                                  • Instruction ID: aec29447bbd71dbeb4200cc10bb007d59060837e9d0312f705dc1a9e876d6f7b
                                                                                  • Opcode Fuzzy Hash: 3df4aedf9861bc55b666311628599090b077351d890ac0a6f2266e27e222ebdd
                                                                                  • Instruction Fuzzy Hash: 73713B70B006099FDB54EBA9D980AADBBF6FF88310F148429D415EB255DB30ED46CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDEAF8 Relevance: .2, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b8fe4714bec2e9a273bee0a4c89a80758fc5ed62a1fd244db4b411db4d4bd341
                                                                                  • Instruction ID: 346191917a722334e51cc7790b8cbdfc14fcb9e16eeda6e33873651864e0cb14
                                                                                  • Opcode Fuzzy Hash: b8fe4714bec2e9a273bee0a4c89a80758fc5ed62a1fd244db4b411db4d4bd341
                                                                                  • Instruction Fuzzy Hash: 89712A70B002099FDB54EBA9D980AADBBF6FF88310F248429D415EB354DB34ED46CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD4B70 Relevance: .2, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3bb451a63e2246ad433ae45095d48be7a38e2addead6747496eb60fa2adfa039
                                                                                  • Instruction ID: 04e8ffeda3578623021a1369170f1ee5c0ee7926abe904a5e3bba2dc2eb27b5c
                                                                                  • Opcode Fuzzy Hash: 3bb451a63e2246ad433ae45095d48be7a38e2addead6747496eb60fa2adfa039
                                                                                  • Instruction Fuzzy Hash: B3616E30B002099FEB54AFA9C8147AEBBF6FFC8310F208429D506EB394DB758D458B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDFC61 Relevance: .2, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cd5333ad20844562db7727aaf59acecafbb41eb817c7dc932f3b2905ce4651b6
                                                                                  • Instruction ID: 2c060d41e081b7b423578b50901ceff78ee0cb382926a4f327c49e798357767b
                                                                                  • Opcode Fuzzy Hash: cd5333ad20844562db7727aaf59acecafbb41eb817c7dc932f3b2905ce4651b6
                                                                                  • Instruction Fuzzy Hash: 6D51C036E00205DFDB64BFB8E4986ADB7B2EB88311F10886AE507DB350DB359D55CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDFA11 Relevance: .2, Instructions: 173COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eb39f825a21ac7cf7c147faa9d5a33e5f1cf7d904b0b4cbafa8f140c2b148495
                                                                                  • Instruction ID: 66e157221c20a4d39508bb7ee4984a02ee3853baffdbee494655755cc003671d
                                                                                  • Opcode Fuzzy Hash: eb39f825a21ac7cf7c147faa9d5a33e5f1cf7d904b0b4cbafa8f140c2b148495
                                                                                  • Instruction Fuzzy Hash: F0518570B103049BEF64A76CE898B6F266EE78D750F20842AE50BC73D5C979CC4587A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD9137 Relevance: .2, Instructions: 172COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a1a5222c2875b0cd4c3aaee709d9e61130582dd63f581d8afbc809fb29580649
                                                                                  • Instruction ID: 977729b2b532f81e870c053967311f17045c11d4113306884d2c2a0bced49f04
                                                                                  • Opcode Fuzzy Hash: a1a5222c2875b0cd4c3aaee709d9e61130582dd63f581d8afbc809fb29580649
                                                                                  • Instruction Fuzzy Hash: 8A516F30B002059FDB54EB68E8A0B6E77F6FBC8300F548469D809EB394EF769C418B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDFA20 Relevance: .2, Instructions: 163COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cdec2d8aa6fc1e4601f8ac3fabced1a7473dbc41cd6061d10809446995c7ce26
                                                                                  • Instruction ID: 4104fe477f91abcb1ef52fe998f1fde0eacb94c4557c50daad2b3fedeab45213
                                                                                  • Opcode Fuzzy Hash: cdec2d8aa6fc1e4601f8ac3fabced1a7473dbc41cd6061d10809446995c7ce26
                                                                                  • Instruction Fuzzy Hash: 5E516674B103149BEF64A76CE898B2F266EE78D750F20842AE50BD73D4C979CC4587A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD5418 Relevance: .1, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1e4f916484ed079e4f324784117d8bba52945fdb3410a748c72b013ccf6c11bd
                                                                                  • Instruction ID: 83c3386b4e556c18216dc02e142e31db8fa368651459287fd1abbdabe95a170e
                                                                                  • Opcode Fuzzy Hash: 1e4f916484ed079e4f324784117d8bba52945fdb3410a748c72b013ccf6c11bd
                                                                                  • Instruction Fuzzy Hash: 03416F72E006098FDF71DF99E880ABFB7B2FB88310F10492AE156D7650D730E9558B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDDA9D Relevance: .1, Instructions: 131COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6d731a8b4d8278f9192304f875f64c4b625fe7afda86655dc66393e78d93032a
                                                                                  • Instruction ID: bb72471d149bae5c32de468b75c6afda6797af268e25156f33502f0e4dd8ac01
                                                                                  • Opcode Fuzzy Hash: 6d731a8b4d8278f9192304f875f64c4b625fe7afda86655dc66393e78d93032a
                                                                                  • Instruction Fuzzy Hash: E7416E30E003099FDF64EFA9D8946AEBBB6BF85244F118529E805EB240DB71D946CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD4B60 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2abace0cbd837bfacbabf0ecb67fe55302296fddb039aa7bc288c3b4eaca8bed
                                                                                  • Instruction ID: a8d337beaec386285f3d0778aadaa9c4334f3f920217e306e7c981788938332f
                                                                                  • Opcode Fuzzy Hash: 2abace0cbd837bfacbabf0ecb67fe55302296fddb039aa7bc288c3b4eaca8bed
                                                                                  • Instruction Fuzzy Hash: 98418074B002099FEB549FA9C814BAEBBF6FFC8710F208529D505EB394DB759C058B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD21E5 Relevance: .1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1f66d61d08842eeb083c32100aa4099857079d4460535bbbe96d54c9b485bb69
                                                                                  • Instruction ID: e481857333d9070a09578b4e53724354518ed8de872912326e70c6f13c8069ed
                                                                                  • Opcode Fuzzy Hash: 1f66d61d08842eeb083c32100aa4099857079d4460535bbbe96d54c9b485bb69
                                                                                  • Instruction Fuzzy Hash: F0312131B102028FCB68AB78D45866E7BE3AB89304B14886CE502DB350DF36CE06CBD1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD21F8 Relevance: .1, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 754a77f107492ac0863c9287f371addb6ea718b267ba899865f70b9b6fd2db98
                                                                                  • Instruction ID: 05745713cfaac9abeba7670235618502324b053c3d00295249d6f6de24ca1d55
                                                                                  • Opcode Fuzzy Hash: 754a77f107492ac0863c9287f371addb6ea718b267ba899865f70b9b6fd2db98
                                                                                  • Instruction Fuzzy Hash: B231D030B102068FDB65AB78D45866E7BA6BBC9314B14886CE406DB394DF35DE06CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDD950 Relevance: .1, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: caff7e2ed8f4056c279198862a6442831a1284d1a1d873a3b24571ea08fcd010
                                                                                  • Instruction ID: 0802ddb822899869b60e2218c0d47bd396d8517b0dd3b6a00e4d90119489e595
                                                                                  • Opcode Fuzzy Hash: caff7e2ed8f4056c279198862a6442831a1284d1a1d873a3b24571ea08fcd010
                                                                                  • Instruction Fuzzy Hash: 94318470E107099BDF25DF69D890A9EB7B6FF85340F108529E805EB200EB71E946CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD20A8 Relevance: .1, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d28244933a049d837a392a3b306e8d36a58087d927425222b4ec8980ebff33c2
                                                                                  • Instruction ID: f2a8a3b8fe86d059658211f58b45cb102ff594930ce64e4c9821e30b3e6fbe2d
                                                                                  • Opcode Fuzzy Hash: d28244933a049d837a392a3b306e8d36a58087d927425222b4ec8980ebff33c2
                                                                                  • Instruction Fuzzy Hash: 96318D30E102059BCB59DF69D89469EBBF2FF89300F50C529EA06EB750DB31AE42CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD20B8 Relevance: .1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 455c7e370ea77a0c7315417502eacc3ade37d124bf14f8b0167c6d453252293f
                                                                                  • Instruction ID: 2991deb36c08c3c1ac713023c3b9fb60bb0612a3710ee7978cd197bdc13f48c7
                                                                                  • Opcode Fuzzy Hash: 455c7e370ea77a0c7315417502eacc3ade37d124bf14f8b0167c6d453252293f
                                                                                  • Instruction Fuzzy Hash: 1A316C30E106059BCB59DF69D89469EB7B2FF89300F50C529EA06EB750EB71AE42CB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3AA0 Relevance: .1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 321916350ff6444333743ebbf4aba7720f443efa87b0722be11dd99114ec0402
                                                                                  • Instruction ID: 34811a78843ec9021886cc6768945a8cd673938a329ae5388cfd68c2db13314d
                                                                                  • Opcode Fuzzy Hash: 321916350ff6444333743ebbf4aba7720f443efa87b0722be11dd99114ec0402
                                                                                  • Instruction Fuzzy Hash: 99216D71F006059FDB50DF7DE880AAEBBF5EB88750F128026E905EB380E734D9418BA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3AB0 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8708eedd1d1cf3cd00b16e750a9b363a655ea2af0d2df66eb83809041ed97fb
                                                                                  • Instruction ID: cdc33f816fbbf27318551a354edbc9910010fb0068d830911fe148f7f858d35b
                                                                                  • Opcode Fuzzy Hash: e8708eedd1d1cf3cd00b16e750a9b363a655ea2af0d2df66eb83809041ed97fb
                                                                                  • Instruction Fuzzy Hash: 8F216975F006159FDB50DF6DE880AAEBBF1EB88750F15806AE905E7380E734DC008BA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0182D030 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2576166764.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_182d000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 520384230427c336e1bf50fe23fc0b9b6960537a2a9c541efdf9d9bea757fe81
                                                                                  • Instruction ID: 66b815ffd96a6ce12d3c270cfe815639c27d1f3d9ab02379084eb3494b132acb
                                                                                  • Opcode Fuzzy Hash: 520384230427c336e1bf50fe23fc0b9b6960537a2a9c541efdf9d9bea757fe81
                                                                                  • Instruction Fuzzy Hash: 61213771504344DFDB12DF54D9C0B26BFA5FB84318F24C66DD8098B2A2C33AD987CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD6D10 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1fc6006426d7c1e42866e9c9f1e0422f820dba814a4f2d01b43c9723f6be42de
                                                                                  • Instruction ID: 26a5346932f0a9a7be47549782331d7ba7965d1268dd45a5a1926b7d839e14ab
                                                                                  • Opcode Fuzzy Hash: 1fc6006426d7c1e42866e9c9f1e0422f820dba814a4f2d01b43c9723f6be42de
                                                                                  • Instruction Fuzzy Hash: 52217231B101199BDF44EB6DF8546ADB7B6EBC4350F248469D405EB390DB36ED418BD0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3BC0 Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1bbdddafce214114f66b5939861ced0bfa5a156f9c4d59aee60edd49a14dc2c
                                                                                  • Instruction ID: 24ef1f8668228f6d9bb15b8880453f4a58b69fe44487209934414cda048e0914
                                                                                  • Opcode Fuzzy Hash: c1bbdddafce214114f66b5939861ced0bfa5a156f9c4d59aee60edd49a14dc2c
                                                                                  • Instruction Fuzzy Hash: 99117C32B101288BCB55AA6CD8546AE76B6ABC9351B05853AD806E7390EF25DC028BA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD4200 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7baafde4f6013fb678e15b98690870aabc037d454599af93cf9b063c97d457f8
                                                                                  • Instruction ID: bd02eeb8702750dff4bea9a9d7a7750572b3630cb6f8fd070d81ea16c222bb2e
                                                                                  • Opcode Fuzzy Hash: 7baafde4f6013fb678e15b98690870aabc037d454599af93cf9b063c97d457f8
                                                                                  • Instruction Fuzzy Hash: 4F01D831B045100BDB7197BDA85471BBBDADBCA724F10843EE50ACB392EE75DC024391
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDA300 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c5194e89fd7fa04f627b4417bf0bc4ea4071f593bb3a1922d45debdd4ff30c21
                                                                                  • Instruction ID: c2f6bc8b88105f5daba0068ac7fe5644fce7801d8a11ae2ffb5a7f63e9bc906f
                                                                                  • Opcode Fuzzy Hash: c5194e89fd7fa04f627b4417bf0bc4ea4071f593bb3a1922d45debdd4ff30c21
                                                                                  • Instruction Fuzzy Hash: 2101D471B142100FD751A7BCE854B1FB7EAEB8A720F14C82DE50ACB351EA65EC0183E6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3BB0 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aee04294d720f4574db10c6d4dfdebf3a4c8156a9c74b84e2c826f93a001a517
                                                                                  • Instruction ID: 7e8b10b4c96e79e11d1af45c833cffd797a26cf856e220abea0aeac386e8b8aa
                                                                                  • Opcode Fuzzy Hash: aee04294d720f4574db10c6d4dfdebf3a4c8156a9c74b84e2c826f93a001a517
                                                                                  • Instruction Fuzzy Hash: 6701D476F104284BCF98966CDC246BB32EAEBC5360F02413AD406E7280EE65CC0147E2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3878 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d6b3921f13367c4a9a0f68b85f7e12a116651f70f6ee0fc77af3ddc5e7cd0a38
                                                                                  • Instruction ID: 15e7376c60098c522a4e7d6d155de0c500a457318609310ad4a4da03a791b02e
                                                                                  • Opcode Fuzzy Hash: d6b3921f13367c4a9a0f68b85f7e12a116651f70f6ee0fc77af3ddc5e7cd0a38
                                                                                  • Instruction Fuzzy Hash: E521C2B5D01259AFDB10DF9AD884ACEFBB4FB49310F50812AE918A7340D374A954CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDED69 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b67e09a132eaa288cc47decd37f38692f0d3259ca9a075046869ad920386097a
                                                                                  • Instruction ID: e74ca7f466c94608330503897d7c4c2a51bbd03856f5dc8d0259c6488fff1824
                                                                                  • Opcode Fuzzy Hash: b67e09a132eaa288cc47decd37f38692f0d3259ca9a075046869ad920386097a
                                                                                  • Instruction Fuzzy Hash: 0E01D435B041600BCB66AB7CA854B2B6BD6DBCAB20F14842AE10ACB385DE34DC0683D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0182D02B Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2576166764.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_182d000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                  • Instruction ID: af14f1678b0fbc71bcbef7e20f8463bc72e040478339172d77816f90d8f6f4e4
                                                                                  • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                  • Instruction Fuzzy Hash: 2611BB75504280CFCB12CF54D5C0B15FFA1FB84314F28C6AAD8498B6A6C33AD48ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD3880 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 229612fa53040ce30c166054343a9d03e21da839740691bad662d1817cba04a2
                                                                                  • Instruction ID: 1103a340d29bec7b57ae2b56f6a5e11c105e9fbda6ac6af273d13807b0045d12
                                                                                  • Opcode Fuzzy Hash: 229612fa53040ce30c166054343a9d03e21da839740691bad662d1817cba04a2
                                                                                  • Instruction Fuzzy Hash: 0711D0B5D01259AFDB00DF9AD884ACEFBB4FB49320F10812AE918B7340D374A954CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD4210 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ad7c70230adebfc0ea87594c1cf729a6c36a15b70763774b20ca034d9afd34f7
                                                                                  • Instruction ID: 109317b7612d37dc5b97713707a8c58b4e29df08f6d99fcd5ed336bcae182c8d
                                                                                  • Opcode Fuzzy Hash: ad7c70230adebfc0ea87594c1cf729a6c36a15b70763774b20ca034d9afd34f7
                                                                                  • Instruction Fuzzy Hash: 11016D31B001100BDB64AAADA49472BBBDAEBC9724F10883DE50AC7395EE75DC024395
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDED78 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 372d15be01800898432ba05db320e33320eb6f5bdab108d1e624d2fbfa78281c
                                                                                  • Instruction ID: 0d0dd9b34b4161ef6442147734b9a7e03d1188949e52a8d1683b5033dfb3a036
                                                                                  • Opcode Fuzzy Hash: 372d15be01800898432ba05db320e33320eb6f5bdab108d1e624d2fbfa78281c
                                                                                  • Instruction Fuzzy Hash: 5E01A435B101100BDB65AA6DA85472F67DADBC9720F10883DE50ECB345EE25EC0243D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DDA310 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 34e318b22b75cf730f64f0f5e6934659501686305d61bdc99758fb62170215bf
                                                                                  • Instruction ID: 47beaff3c0d5db7c7d13eaf3313f86c9dad8479318e2b83efed739aa3b63347a
                                                                                  • Opcode Fuzzy Hash: 34e318b22b75cf730f64f0f5e6934659501686305d61bdc99758fb62170215bf
                                                                                  • Instruction Fuzzy Hash: 35018C70B101104BDB61ABACE454B2EB3E7EB89720F54C83DE60AC7351EA26EC0283C5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06DD6469 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2584342374.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6dd0000_Gcerti Quote.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ba58a940c26efcc6d8a359d03a06a3bfb6d862986f28ec0e59c6b1f3095c8d3d
                                                                                  • Instruction ID: 97585b5b4114f977537b83e637ddedd1371bf5e294a44f3e0ea29b12fbfa09d3
                                                                                  • Opcode Fuzzy Hash: ba58a940c26efcc6d8a359d03a06a3bfb6d862986f28ec0e59c6b1f3095c8d3d
                                                                                  • Instruction Fuzzy Hash: BDE0DF70E192486BDF60EBB0DD1575E7BAED746228F2088A6E804C7242E132DE4083D2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%