Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quote35664776.exe

Overview

General Information

Sample name:Quote35664776.exe
Analysis ID:1543824
MD5:560b914d9a5652a2cd8e91885a866954
SHA1:e516c3e218ab80245f3f2eb1502a1ecb07e69ba3
SHA256:bcca185afcdcd92fde60a3d4676f7efd40126e9ce50d9971f7e725bd04b8bfb4
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quote35664776.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\Quote35664776.exe" MD5: 560B914D9A5652A2CD8E91885A866954)
    • powershell.exe (PID: 7292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7528 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • Quote35664776.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\Quote35664776.exe" MD5: 560B914D9A5652A2CD8E91885A866954)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2be40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f213:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x173c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: Quote35664776.exe PID: 6448JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.Quote35664776.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.Quote35664776.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e413:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          7.2.Quote35664776.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            7.2.Quote35664776.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f213:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote35664776.exe", ParentImage: C:\Users\user\Desktop\Quote35664776.exe, ParentProcessId: 6448, ParentProcessName: Quote35664776.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", ProcessId: 7292, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote35664776.exe", ParentImage: C:\Users\user\Desktop\Quote35664776.exe, ParentProcessId: 6448, ParentProcessName: Quote35664776.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", ProcessId: 7292, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote35664776.exe", ParentImage: C:\Users\user\Desktop\Quote35664776.exe, ParentProcessId: 6448, ParentProcessName: Quote35664776.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe", ProcessId: 7292, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Quote35664776.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: Quote35664776.exeReversingLabs: Detection: 42%
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Quote35664776.exeJoe Sandbox ML: detected
            Source: Quote35664776.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Quote35664776.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: Quote35664776.exe, 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Quote35664776.exe, Quote35664776.exe, 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: yjvR.pdb source: Quote35664776.exe
            Source: Binary string: yjvR.pdbSHA256 source: Quote35664776.exe
            Source: Quote35664776.exe, 00000003.00000002.1331118649.0000000002D2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 7.2.Quote35664776.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 7.2.Quote35664776.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0042C4E3 NtClose,7_2_0042C4E3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512B60 NtClose,LdrInitializeThunk,7_2_01512B60
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_01512DF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_01512C70
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015135C0 NtCreateMutant,LdrInitializeThunk,7_2_015135C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01514340 NtSetContextThread,7_2_01514340
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01514650 NtSuspendThread,7_2_01514650
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512BF0 NtAllocateVirtualMemory,7_2_01512BF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512BE0 NtQueryValueKey,7_2_01512BE0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512B80 NtQueryInformationFile,7_2_01512B80
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512BA0 NtEnumerateValueKey,7_2_01512BA0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512AD0 NtReadFile,7_2_01512AD0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512AF0 NtWriteFile,7_2_01512AF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512AB0 NtWaitForSingleObject,7_2_01512AB0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512D10 NtMapViewOfSection,7_2_01512D10
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512D00 NtSetInformationFile,7_2_01512D00
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512D30 NtUnmapViewOfSection,7_2_01512D30
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512DD0 NtDelayExecution,7_2_01512DD0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512DB0 NtEnumerateKey,7_2_01512DB0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512C60 NtCreateKey,7_2_01512C60
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512C00 NtQueryInformationProcess,7_2_01512C00
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512CC0 NtQueryVirtualMemory,7_2_01512CC0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512CF0 NtOpenProcess,7_2_01512CF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512CA0 NtQueryInformationToken,7_2_01512CA0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512F60 NtCreateProcessEx,7_2_01512F60
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512F30 NtCreateSection,7_2_01512F30
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512FE0 NtCreateFile,7_2_01512FE0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512F90 NtProtectVirtualMemory,7_2_01512F90
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512FB0 NtResumeThread,7_2_01512FB0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512FA0 NtQuerySection,7_2_01512FA0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512E30 NtWriteVirtualMemory,7_2_01512E30
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512EE0 NtQueueApcThread,7_2_01512EE0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512E80 NtReadVirtualMemory,7_2_01512E80
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512EA0 NtAdjustPrivilegesToken,7_2_01512EA0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01513010 NtOpenDirectoryObject,7_2_01513010
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01513090 NtSetValueKey,7_2_01513090
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015139B0 NtGetContextThread,7_2_015139B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01513D70 NtOpenThread,7_2_01513D70
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01513D10 NtOpenProcessToken,7_2_01513D10
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 3_2_010CDA8C3_2_010CDA8C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 3_2_0CC53A103_2_0CC53A10
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0040284A7_2_0040284A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004028507_2_00402850
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004100937_2_00410093
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004031507_2_00403150
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0040E1137_2_0040E113
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0042EB037_2_0042EB03
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0040FE6E7_2_0040FE6E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0040FE737_2_0040FE73
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004167337_2_00416733
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015681587_2_01568158
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D01007_2_014D0100
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157A1187_2_0157A118
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015981CC7_2_015981CC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A01AA7_2_015A01AA
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015941A27_2_015941A2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015720007_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159A3527_2_0159A352
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A03E67_2_015A03E6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE3F07_2_014EE3F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015802747_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015602C07_2_015602C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E05357_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A05917_2_015A0591
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015924467_2_01592446
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015844207_2_01584420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158E4F67_2_0158E4F6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015047507_2_01504750
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E07707_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DC7C07_2_014DC7C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FC6E07_2_014FC6E0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F69627_2_014F6962
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A07_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015AA9A67_2_015AA9A6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E28407_2_014E2840
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EA8407_2_014EA840
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E8F07_2_0150E8F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C68B87_2_014C68B8
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159AB407_2_0159AB40
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01596BD77_2_01596BD7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DEA807_2_014DEA80
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157CD1F7_2_0157CD1F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EAD007_2_014EAD00
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DADE07_2_014DADE0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F8DBF7_2_014F8DBF
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0C007_2_014E0C00
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0CF27_2_014D0CF2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580CB57_2_01580CB5
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01554F407_2_01554F40
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01500F307_2_01500F30
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01582F307_2_01582F30
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01522F287_2_01522F28
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D2FC87_2_014D2FC8
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014ECFE07_2_014ECFE0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155EFA07_2_0155EFA0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0E597_2_014E0E59
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159EE267_2_0159EE26
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159EEDB7_2_0159EEDB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159CE937_2_0159CE93
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2E907_2_014F2E90
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015AB16B7_2_015AB16B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151516C7_2_0151516C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CF1727_2_014CF172
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EB1B07_2_014EB1B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E70C07_2_014E70C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158F0CC7_2_0158F0CC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015970E97_2_015970E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159F0E07_2_0159F0E0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CD34C7_2_014CD34C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159132D7_2_0159132D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0152739A7_2_0152739A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FB2C07_2_014FB2C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015812ED7_2_015812ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E52A07_2_014E52A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015975717_2_01597571
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A95C37_2_015A95C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157D5B07_2_0157D5B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D14607_2_014D1460
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159F43F7_2_0159F43F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159F7B07_2_0159F7B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015256307_2_01525630
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015916CC7_2_015916CC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E99507_2_014E9950
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FB9507_2_014FB950
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015759107_2_01575910
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154D8007_2_0154D800
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E38E07_2_014E38E0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159FB767_2_0159FB76
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01555BF07_2_01555BF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151DBF97_2_0151DBF9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FFB807_2_014FFB80
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159FA497_2_0159FA49
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01597A467_2_01597A46
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01553A6C7_2_01553A6C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158DAC67_2_0158DAC6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01525AA07_2_01525AA0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157DAAC7_2_0157DAAC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01581AA37_2_01581AA3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01591D5A7_2_01591D5A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E3D407_2_014E3D40
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01597D737_2_01597D73
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FFDC07_2_014FFDC0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01559C327_2_01559C32
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159FCF27_2_0159FCF2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159FF097_2_0159FF09
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014A3FD27_2_014A3FD2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014A3FD57_2_014A3FD5
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E1F927_2_014E1F92
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159FFB17_2_0159FFB1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E9EB07_2_014E9EB0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: String function: 01515130 appears 58 times
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: String function: 0155F290 appears 105 times
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: String function: 014CB970 appears 277 times
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: String function: 0154EA12 appears 86 times
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: String function: 01527E54 appears 111 times
            Source: Quote35664776.exe, 00000003.00000002.1339818113.0000000009BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Quote35664776.exe
            Source: Quote35664776.exe, 00000003.00000002.1306406310.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quote35664776.exe
            Source: Quote35664776.exe, 00000003.00000000.1280871170.0000000000736000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameyjvR.exe6 vs Quote35664776.exe
            Source: Quote35664776.exe, 00000007.00000002.1359717433.00000000015CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quote35664776.exe
            Source: Quote35664776.exeBinary or memory string: OriginalFilenameyjvR.exe6 vs Quote35664776.exe
            Source: Quote35664776.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 7.2.Quote35664776.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 7.2.Quote35664776.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Quote35664776.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, x6cK73VO5rSrjlo76X.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: _0020.SetAccessControl
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: _0020.AddAccessRule
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: _0020.SetAccessControl
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: _0020.AddAccessRule
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, x6cK73VO5rSrjlo76X.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, x6cK73VO5rSrjlo76X.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: _0020.SetAccessControl
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Sok1NDXnWLr75Px8nU.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/6@0/0
            Source: C:\Users\user\Desktop\Quote35664776.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote35664776.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_auxzxpwz.0ck.ps1Jump to behavior
            Source: Quote35664776.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Quote35664776.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Quote35664776.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Quote35664776.exeReversingLabs: Detection: 42%
            Source: Quote35664776.exeString found in binary or memory: $8ef8c825-4d3b-4232-add3-f59032e3b409
            Source: unknownProcess created: C:\Users\user\Desktop\Quote35664776.exe "C:\Users\user\Desktop\Quote35664776.exe"
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe"
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Users\user\Desktop\Quote35664776.exe "C:\Users\user\Desktop\Quote35664776.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Users\user\Desktop\Quote35664776.exe "C:\Users\user\Desktop\Quote35664776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Quote35664776.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Quote35664776.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Quote35664776.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Quote35664776.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: Quote35664776.exe, 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Quote35664776.exe, Quote35664776.exe, 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: yjvR.pdb source: Quote35664776.exe
            Source: Binary string: yjvR.pdbSHA256 source: Quote35664776.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: Quote35664776.exe, frmMain.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
            Source: Quote35664776.exe, frmMain.cs.Net Code: InitializeComponent
            Source: 3.2.Quote35664776.exe.3ac0b90.0.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Sok1NDXnWLr75Px8nU.cs.Net Code: Qy11SmBiIl System.Reflection.Assembly.Load(byte[])
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Sok1NDXnWLr75Px8nU.cs.Net Code: Qy11SmBiIl System.Reflection.Assembly.Load(byte[])
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Sok1NDXnWLr75Px8nU.cs.Net Code: Qy11SmBiIl System.Reflection.Assembly.Load(byte[])
            Source: 3.2.Quote35664776.exe.5270000.3.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: Quote35664776.exeStatic PE information: 0x89636CF8 [Fri Jan 16 04:15:52 2043 UTC]
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0041F0D1 push ebp; iretd 7_2_0041F0DA
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004118F3 push esp; iretd 7_2_00411926
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004118B0 push esp; iretd 7_2_00411926
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0041B2EA pushfd ; retf 7_2_0041B2ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004033D0 push eax; ret 7_2_004033D2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0040BCC7 push C1009F53h; ret 7_2_0040BCCE
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_00406567 push edx; iretd 7_2_00406568
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004165BD pushfd ; retf 7_2_004165C1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0040863B push ebx; iretd 7_2_0040863C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0041E74B push ds; iretd 7_2_0041E74C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014A225F pushad ; ret 7_2_014A27F9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014A27FA pushad ; ret 7_2_014A27F9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D09AD push ecx; mov dword ptr [esp], ecx7_2_014D09B6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014A283D push eax; iretd 7_2_014A2858
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014A135E push eax; iretd 7_2_014A1369
            Source: Quote35664776.exeStatic PE information: section name: .text entropy: 7.977991168390122
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, x6cK73VO5rSrjlo76X.csHigh entropy of concatenated method names: 'TQsPny76uP', 'SbePZE6Mfh', 'jOXPuGTfHo', 'B5YPawatgb', 'WOrPLv2iHX', 'uJwPhopWer', 'oKFPwC6E9i', 'j2qP3CIG7J', 'hUSP6JvV92', 'd0jPEbrVmV'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, rFLhHkFC8SefOnqKOq2.csHigh entropy of concatenated method names: 'm7GINcdEq5', 'HmpIFKDHCE', 'F4JISsZ4Le', 'PBYIbZHiqX', 'pGDIgbTvxR', 'vXsIeB42gm', 'U8dI0JgbIZ', 'O6oIYSIv5o', 'PStIAhM343', 'E3kIvFFOD9'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Sok1NDXnWLr75Px8nU.csHigh entropy of concatenated method names: 'Nww7sb97WO', 'IqA7rRAUn6', 'RTr7P81epm', 'RsQ7cNkkIb', 'A6N7G8gVib', 'vyj7xSE4Ot', 'SKu7iOcdCI', 'H3m7Vet7HY', 'cWO7pIkvnI', 'IhF75bdBEb'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, HZ68fDib74Ymn7KC6t.csHigh entropy of concatenated method names: 'tLqIXJhXfm', 'LkHI7XTrsi', 'HQ5I1a1loi', 'k7MIrdgF88', 'L3LIPOpIVP', 'siqIGbiIxf', 'Io9IxpXOFc', 'WSWUwsnrTa', 'BedU3a4L1c', 'M18U6yFKq7'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, bs2fgozyYvXB1H4niC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QwHIBmFJs9', 'QSTIkuJ6og', 'gicIykCkQX', 'xGMIDdc9da', 'UqTIUvjvl4', 'gBYIIYJr5J', 'WgiIOUWPtx'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, bA9RTfZIChuDRqfLHK.csHigh entropy of concatenated method names: 'TsCxsnGHwO', 'OTcxP6ioLA', 'WCuxGYAqCa', 'QHIxiwRj6P', 'DUqxVpMfbf', 'hAEGLN45hs', 'xkPGhWvnqp', 'cFLGwWTMOn', 'mCmG3o6kjn', 'YdeG6DvAqT'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, vAn0HoArA23Maefiap.csHigh entropy of concatenated method names: 'BEtcbdZ8BK', 'mBxceDM8GV', 'rvccYniltf', 'PKucA0Hneh', 'IdQcke2hU3', 'iuncyssD0S', 't6lcDhlKvB', 'IxYcUI3Meq', 'tpMcIbrMft', 'QracOxAaOg'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, SW8DeeB6aVHGjqOFRf.csHigh entropy of concatenated method names: 'smVUrYns7P', 'esLUPjmHUp', 'osfUcvjLvM', 'oHTUGrxCY4', 'Y2XUxqM7Bh', 'xEuUiS06XZ', 'eXyUVRqitd', 'MvfUpetVpR', 'pG5U5Uu3AB', 'k6HUo1ruHH'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, LrDp2gPDDKXhK6nGRi.csHigh entropy of concatenated method names: 'BfFBYAM7ks', 'APTBAFO9pD', 'qtbBTB0oOK', 'd6NBdMnkb9', 'C0dBfHLt9e', 'r5lBHpy8dj', 'TMmB9k7q8c', 'rDrBJmX3RA', 'yZSBRKCB3D', 'Bh1B8EiMdw'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, pINXIehvWXwyqsnbgr.csHigh entropy of concatenated method names: 'j0eXiGkS4B', 'WE5XVX4qFr', 'iVmX578VTs', 'VYgXofu2ZN', 'm64XkeuXTx', 'fTHXyNcQ1u', 'WURla1957MyhsF3ELX', 'euhib6kbWrXOlCseQd', 'p9GXXjqfrU', 'u0nX7AtSqw'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, bAfoyn70OPLcRmMWLY.csHigh entropy of concatenated method names: 'XiLUTV9Q7D', 'I9IUdGnRrB', 'riEUWrvEyN', 'vjTUfEUjo1', 'dCOUnFR6hV', 'QmfUHbl9Ts', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, A6o9CQUC8uU9J0HUNg.csHigh entropy of concatenated method names: 'X4GirPfnY9', 'mvDicx1sBU', 'MERix8dQWZ', 'o1gxERdKxr', 'zKIxzeKlcw', 'mkfiQaFUjC', 'DhxiXr1oXg', 'rJhiC1Nw3T', 'tZoi7GC7Zh', 'uMsi1l8pmq'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Q52MZZGMumw2JdOafM.csHigh entropy of concatenated method names: 'l2UD3EJiRk', 'swCDEOfvFm', 'MU7UQD2lG3', 'oj7UXPKs4T', 'lSiD8kY3WS', 'XY4DK7N7YQ', 'B7nDjCXbcp', 'Ul6DnV5EdX', 'qpDDZHQA9L', 'MujDuJtGJY'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, YPyR0rScyFQHt4LSxI.csHigh entropy of concatenated method names: 'IF7SOoKod', 'VxIbiYaZ3', 'bSFe3XdW6', 'a7i0xcD7o', 'OSAADwIuL', 'zJkv5Y2yA', 'yoHpMMT5JH0jEHZcuE', 'vnC6nAJA6jemhhOKx6', 'q0YUL4s7G', 'ipSO6UrwS'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, VPTB9Hj1KQYmwFwebe.csHigh entropy of concatenated method names: 'zbCxuQglUr', 'kYuxa7IBa8', 'RIoxL4uDRY', 'ToString', 'tKVxhl70Ti', 'P5dxwuKL2A', 'bdVNOCeCcMocE4bpyn5', 'oN01BCe05Bl6IXl1nfB', 'l5XgpSe54nY59H2KsBi', 'tOVTOQe1SsWQ8HlWL4V'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, auGahYmrbOXQpKrlGf.csHigh entropy of concatenated method names: 'q5wkRYNSlj', 'CJkkK0g6In', 'Wu1kn607Wt', 'JqhkZj4gN1', 'oN2kdKUevq', 'nHbkWCC6Rh', 'I4Ukf1XC2h', 'sfnkHh6gbw', 'ck4k4U6gGO', 'r1qk9yrPPp'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, syv7QdNKtKblnuuuxd.csHigh entropy of concatenated method names: 'n6JGgvBfBc', 'WyeG0jS8VD', 'toncWaaqaK', 'ryAcf7Tv6W', 'EJQcH9DjBF', 'jONc4schkH', 'g1Dc90c0iV', 'Dt2cJnitZx', 'Mx7cmivFXr', 'gjKcRWLAh4'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, SbBo3aTf4cNGFXq9s0.csHigh entropy of concatenated method names: 'cy0iNyYDXo', 'wsiiFxWRwt', 'DyTiSQtMO3', 's4xibu9GTp', 'MumigNNe82', 'E8Die6JJ0T', 'Sf4i0KijoF', 'aeLiY01KNP', 'w92iA8FhrJ', 'KDlivZS8Eh'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, u2YxUHxItJFpKQdbGU.csHigh entropy of concatenated method names: 'ToString', 'ejjy86Wpgx', 'dumydcR8nU', 'EjbyWFgZEe', 'z0Vyfmw7oU', 'vmbyHvjoGV', 'hD9y4BaQQF', 'lRny9yuOHw', 'nIhyJV3ASg', 'FvJymXBY1G'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, R8F35CDOHwNew9N6HY.csHigh entropy of concatenated method names: 'Dispose', 'bLhX6xDWY1', 'HhNCdHkkuR', 'QkJqq8Tk0q', 'WwLXEaG89i', 'bRNXzsb5yg', 'ProcessDialogKey', 'C3RCQRqA7L', 'TkHCXaPEYI', 'NQYCCkRIvR'
            Source: 3.2.Quote35664776.exe.9bc0000.4.raw.unpack, Omg99GFnvJiuifGl2TV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RL6OnckV1V', 'I3qOZooGr0', 'IUZOuRFDZR', 'qC5OaVVAKs', 'UMDOLS2ElB', 'z6FOhPgT43', 'LnROwXhZcl'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, x6cK73VO5rSrjlo76X.csHigh entropy of concatenated method names: 'TQsPny76uP', 'SbePZE6Mfh', 'jOXPuGTfHo', 'B5YPawatgb', 'WOrPLv2iHX', 'uJwPhopWer', 'oKFPwC6E9i', 'j2qP3CIG7J', 'hUSP6JvV92', 'd0jPEbrVmV'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, rFLhHkFC8SefOnqKOq2.csHigh entropy of concatenated method names: 'm7GINcdEq5', 'HmpIFKDHCE', 'F4JISsZ4Le', 'PBYIbZHiqX', 'pGDIgbTvxR', 'vXsIeB42gm', 'U8dI0JgbIZ', 'O6oIYSIv5o', 'PStIAhM343', 'E3kIvFFOD9'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Sok1NDXnWLr75Px8nU.csHigh entropy of concatenated method names: 'Nww7sb97WO', 'IqA7rRAUn6', 'RTr7P81epm', 'RsQ7cNkkIb', 'A6N7G8gVib', 'vyj7xSE4Ot', 'SKu7iOcdCI', 'H3m7Vet7HY', 'cWO7pIkvnI', 'IhF75bdBEb'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, HZ68fDib74Ymn7KC6t.csHigh entropy of concatenated method names: 'tLqIXJhXfm', 'LkHI7XTrsi', 'HQ5I1a1loi', 'k7MIrdgF88', 'L3LIPOpIVP', 'siqIGbiIxf', 'Io9IxpXOFc', 'WSWUwsnrTa', 'BedU3a4L1c', 'M18U6yFKq7'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, bs2fgozyYvXB1H4niC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QwHIBmFJs9', 'QSTIkuJ6og', 'gicIykCkQX', 'xGMIDdc9da', 'UqTIUvjvl4', 'gBYIIYJr5J', 'WgiIOUWPtx'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, bA9RTfZIChuDRqfLHK.csHigh entropy of concatenated method names: 'TsCxsnGHwO', 'OTcxP6ioLA', 'WCuxGYAqCa', 'QHIxiwRj6P', 'DUqxVpMfbf', 'hAEGLN45hs', 'xkPGhWvnqp', 'cFLGwWTMOn', 'mCmG3o6kjn', 'YdeG6DvAqT'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, vAn0HoArA23Maefiap.csHigh entropy of concatenated method names: 'BEtcbdZ8BK', 'mBxceDM8GV', 'rvccYniltf', 'PKucA0Hneh', 'IdQcke2hU3', 'iuncyssD0S', 't6lcDhlKvB', 'IxYcUI3Meq', 'tpMcIbrMft', 'QracOxAaOg'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, SW8DeeB6aVHGjqOFRf.csHigh entropy of concatenated method names: 'smVUrYns7P', 'esLUPjmHUp', 'osfUcvjLvM', 'oHTUGrxCY4', 'Y2XUxqM7Bh', 'xEuUiS06XZ', 'eXyUVRqitd', 'MvfUpetVpR', 'pG5U5Uu3AB', 'k6HUo1ruHH'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, LrDp2gPDDKXhK6nGRi.csHigh entropy of concatenated method names: 'BfFBYAM7ks', 'APTBAFO9pD', 'qtbBTB0oOK', 'd6NBdMnkb9', 'C0dBfHLt9e', 'r5lBHpy8dj', 'TMmB9k7q8c', 'rDrBJmX3RA', 'yZSBRKCB3D', 'Bh1B8EiMdw'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, pINXIehvWXwyqsnbgr.csHigh entropy of concatenated method names: 'j0eXiGkS4B', 'WE5XVX4qFr', 'iVmX578VTs', 'VYgXofu2ZN', 'm64XkeuXTx', 'fTHXyNcQ1u', 'WURla1957MyhsF3ELX', 'euhib6kbWrXOlCseQd', 'p9GXXjqfrU', 'u0nX7AtSqw'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, bAfoyn70OPLcRmMWLY.csHigh entropy of concatenated method names: 'XiLUTV9Q7D', 'I9IUdGnRrB', 'riEUWrvEyN', 'vjTUfEUjo1', 'dCOUnFR6hV', 'QmfUHbl9Ts', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, A6o9CQUC8uU9J0HUNg.csHigh entropy of concatenated method names: 'X4GirPfnY9', 'mvDicx1sBU', 'MERix8dQWZ', 'o1gxERdKxr', 'zKIxzeKlcw', 'mkfiQaFUjC', 'DhxiXr1oXg', 'rJhiC1Nw3T', 'tZoi7GC7Zh', 'uMsi1l8pmq'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Q52MZZGMumw2JdOafM.csHigh entropy of concatenated method names: 'l2UD3EJiRk', 'swCDEOfvFm', 'MU7UQD2lG3', 'oj7UXPKs4T', 'lSiD8kY3WS', 'XY4DK7N7YQ', 'B7nDjCXbcp', 'Ul6DnV5EdX', 'qpDDZHQA9L', 'MujDuJtGJY'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, YPyR0rScyFQHt4LSxI.csHigh entropy of concatenated method names: 'IF7SOoKod', 'VxIbiYaZ3', 'bSFe3XdW6', 'a7i0xcD7o', 'OSAADwIuL', 'zJkv5Y2yA', 'yoHpMMT5JH0jEHZcuE', 'vnC6nAJA6jemhhOKx6', 'q0YUL4s7G', 'ipSO6UrwS'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, VPTB9Hj1KQYmwFwebe.csHigh entropy of concatenated method names: 'zbCxuQglUr', 'kYuxa7IBa8', 'RIoxL4uDRY', 'ToString', 'tKVxhl70Ti', 'P5dxwuKL2A', 'bdVNOCeCcMocE4bpyn5', 'oN01BCe05Bl6IXl1nfB', 'l5XgpSe54nY59H2KsBi', 'tOVTOQe1SsWQ8HlWL4V'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, auGahYmrbOXQpKrlGf.csHigh entropy of concatenated method names: 'q5wkRYNSlj', 'CJkkK0g6In', 'Wu1kn607Wt', 'JqhkZj4gN1', 'oN2kdKUevq', 'nHbkWCC6Rh', 'I4Ukf1XC2h', 'sfnkHh6gbw', 'ck4k4U6gGO', 'r1qk9yrPPp'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, syv7QdNKtKblnuuuxd.csHigh entropy of concatenated method names: 'n6JGgvBfBc', 'WyeG0jS8VD', 'toncWaaqaK', 'ryAcf7Tv6W', 'EJQcH9DjBF', 'jONc4schkH', 'g1Dc90c0iV', 'Dt2cJnitZx', 'Mx7cmivFXr', 'gjKcRWLAh4'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, SbBo3aTf4cNGFXq9s0.csHigh entropy of concatenated method names: 'cy0iNyYDXo', 'wsiiFxWRwt', 'DyTiSQtMO3', 's4xibu9GTp', 'MumigNNe82', 'E8Die6JJ0T', 'Sf4i0KijoF', 'aeLiY01KNP', 'w92iA8FhrJ', 'KDlivZS8Eh'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, u2YxUHxItJFpKQdbGU.csHigh entropy of concatenated method names: 'ToString', 'ejjy86Wpgx', 'dumydcR8nU', 'EjbyWFgZEe', 'z0Vyfmw7oU', 'vmbyHvjoGV', 'hD9y4BaQQF', 'lRny9yuOHw', 'nIhyJV3ASg', 'FvJymXBY1G'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, R8F35CDOHwNew9N6HY.csHigh entropy of concatenated method names: 'Dispose', 'bLhX6xDWY1', 'HhNCdHkkuR', 'QkJqq8Tk0q', 'WwLXEaG89i', 'bRNXzsb5yg', 'ProcessDialogKey', 'C3RCQRqA7L', 'TkHCXaPEYI', 'NQYCCkRIvR'
            Source: 3.2.Quote35664776.exe.45f82d8.1.raw.unpack, Omg99GFnvJiuifGl2TV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RL6OnckV1V', 'I3qOZooGr0', 'IUZOuRFDZR', 'qC5OaVVAKs', 'UMDOLS2ElB', 'z6FOhPgT43', 'LnROwXhZcl'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, x6cK73VO5rSrjlo76X.csHigh entropy of concatenated method names: 'TQsPny76uP', 'SbePZE6Mfh', 'jOXPuGTfHo', 'B5YPawatgb', 'WOrPLv2iHX', 'uJwPhopWer', 'oKFPwC6E9i', 'j2qP3CIG7J', 'hUSP6JvV92', 'd0jPEbrVmV'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, rFLhHkFC8SefOnqKOq2.csHigh entropy of concatenated method names: 'm7GINcdEq5', 'HmpIFKDHCE', 'F4JISsZ4Le', 'PBYIbZHiqX', 'pGDIgbTvxR', 'vXsIeB42gm', 'U8dI0JgbIZ', 'O6oIYSIv5o', 'PStIAhM343', 'E3kIvFFOD9'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Sok1NDXnWLr75Px8nU.csHigh entropy of concatenated method names: 'Nww7sb97WO', 'IqA7rRAUn6', 'RTr7P81epm', 'RsQ7cNkkIb', 'A6N7G8gVib', 'vyj7xSE4Ot', 'SKu7iOcdCI', 'H3m7Vet7HY', 'cWO7pIkvnI', 'IhF75bdBEb'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, HZ68fDib74Ymn7KC6t.csHigh entropy of concatenated method names: 'tLqIXJhXfm', 'LkHI7XTrsi', 'HQ5I1a1loi', 'k7MIrdgF88', 'L3LIPOpIVP', 'siqIGbiIxf', 'Io9IxpXOFc', 'WSWUwsnrTa', 'BedU3a4L1c', 'M18U6yFKq7'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, bs2fgozyYvXB1H4niC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QwHIBmFJs9', 'QSTIkuJ6og', 'gicIykCkQX', 'xGMIDdc9da', 'UqTIUvjvl4', 'gBYIIYJr5J', 'WgiIOUWPtx'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, bA9RTfZIChuDRqfLHK.csHigh entropy of concatenated method names: 'TsCxsnGHwO', 'OTcxP6ioLA', 'WCuxGYAqCa', 'QHIxiwRj6P', 'DUqxVpMfbf', 'hAEGLN45hs', 'xkPGhWvnqp', 'cFLGwWTMOn', 'mCmG3o6kjn', 'YdeG6DvAqT'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, vAn0HoArA23Maefiap.csHigh entropy of concatenated method names: 'BEtcbdZ8BK', 'mBxceDM8GV', 'rvccYniltf', 'PKucA0Hneh', 'IdQcke2hU3', 'iuncyssD0S', 't6lcDhlKvB', 'IxYcUI3Meq', 'tpMcIbrMft', 'QracOxAaOg'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, SW8DeeB6aVHGjqOFRf.csHigh entropy of concatenated method names: 'smVUrYns7P', 'esLUPjmHUp', 'osfUcvjLvM', 'oHTUGrxCY4', 'Y2XUxqM7Bh', 'xEuUiS06XZ', 'eXyUVRqitd', 'MvfUpetVpR', 'pG5U5Uu3AB', 'k6HUo1ruHH'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, LrDp2gPDDKXhK6nGRi.csHigh entropy of concatenated method names: 'BfFBYAM7ks', 'APTBAFO9pD', 'qtbBTB0oOK', 'd6NBdMnkb9', 'C0dBfHLt9e', 'r5lBHpy8dj', 'TMmB9k7q8c', 'rDrBJmX3RA', 'yZSBRKCB3D', 'Bh1B8EiMdw'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, pINXIehvWXwyqsnbgr.csHigh entropy of concatenated method names: 'j0eXiGkS4B', 'WE5XVX4qFr', 'iVmX578VTs', 'VYgXofu2ZN', 'm64XkeuXTx', 'fTHXyNcQ1u', 'WURla1957MyhsF3ELX', 'euhib6kbWrXOlCseQd', 'p9GXXjqfrU', 'u0nX7AtSqw'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, bAfoyn70OPLcRmMWLY.csHigh entropy of concatenated method names: 'XiLUTV9Q7D', 'I9IUdGnRrB', 'riEUWrvEyN', 'vjTUfEUjo1', 'dCOUnFR6hV', 'QmfUHbl9Ts', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, A6o9CQUC8uU9J0HUNg.csHigh entropy of concatenated method names: 'X4GirPfnY9', 'mvDicx1sBU', 'MERix8dQWZ', 'o1gxERdKxr', 'zKIxzeKlcw', 'mkfiQaFUjC', 'DhxiXr1oXg', 'rJhiC1Nw3T', 'tZoi7GC7Zh', 'uMsi1l8pmq'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Q52MZZGMumw2JdOafM.csHigh entropy of concatenated method names: 'l2UD3EJiRk', 'swCDEOfvFm', 'MU7UQD2lG3', 'oj7UXPKs4T', 'lSiD8kY3WS', 'XY4DK7N7YQ', 'B7nDjCXbcp', 'Ul6DnV5EdX', 'qpDDZHQA9L', 'MujDuJtGJY'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, YPyR0rScyFQHt4LSxI.csHigh entropy of concatenated method names: 'IF7SOoKod', 'VxIbiYaZ3', 'bSFe3XdW6', 'a7i0xcD7o', 'OSAADwIuL', 'zJkv5Y2yA', 'yoHpMMT5JH0jEHZcuE', 'vnC6nAJA6jemhhOKx6', 'q0YUL4s7G', 'ipSO6UrwS'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, VPTB9Hj1KQYmwFwebe.csHigh entropy of concatenated method names: 'zbCxuQglUr', 'kYuxa7IBa8', 'RIoxL4uDRY', 'ToString', 'tKVxhl70Ti', 'P5dxwuKL2A', 'bdVNOCeCcMocE4bpyn5', 'oN01BCe05Bl6IXl1nfB', 'l5XgpSe54nY59H2KsBi', 'tOVTOQe1SsWQ8HlWL4V'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, auGahYmrbOXQpKrlGf.csHigh entropy of concatenated method names: 'q5wkRYNSlj', 'CJkkK0g6In', 'Wu1kn607Wt', 'JqhkZj4gN1', 'oN2kdKUevq', 'nHbkWCC6Rh', 'I4Ukf1XC2h', 'sfnkHh6gbw', 'ck4k4U6gGO', 'r1qk9yrPPp'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, syv7QdNKtKblnuuuxd.csHigh entropy of concatenated method names: 'n6JGgvBfBc', 'WyeG0jS8VD', 'toncWaaqaK', 'ryAcf7Tv6W', 'EJQcH9DjBF', 'jONc4schkH', 'g1Dc90c0iV', 'Dt2cJnitZx', 'Mx7cmivFXr', 'gjKcRWLAh4'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, SbBo3aTf4cNGFXq9s0.csHigh entropy of concatenated method names: 'cy0iNyYDXo', 'wsiiFxWRwt', 'DyTiSQtMO3', 's4xibu9GTp', 'MumigNNe82', 'E8Die6JJ0T', 'Sf4i0KijoF', 'aeLiY01KNP', 'w92iA8FhrJ', 'KDlivZS8Eh'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, u2YxUHxItJFpKQdbGU.csHigh entropy of concatenated method names: 'ToString', 'ejjy86Wpgx', 'dumydcR8nU', 'EjbyWFgZEe', 'z0Vyfmw7oU', 'vmbyHvjoGV', 'hD9y4BaQQF', 'lRny9yuOHw', 'nIhyJV3ASg', 'FvJymXBY1G'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, R8F35CDOHwNew9N6HY.csHigh entropy of concatenated method names: 'Dispose', 'bLhX6xDWY1', 'HhNCdHkkuR', 'QkJqq8Tk0q', 'WwLXEaG89i', 'bRNXzsb5yg', 'ProcessDialogKey', 'C3RCQRqA7L', 'TkHCXaPEYI', 'NQYCCkRIvR'
            Source: 3.2.Quote35664776.exe.45700b8.2.raw.unpack, Omg99GFnvJiuifGl2TV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RL6OnckV1V', 'I3qOZooGr0', 'IUZOuRFDZR', 'qC5OaVVAKs', 'UMDOLS2ElB', 'z6FOhPgT43', 'LnROwXhZcl'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Quote35664776.exe PID: 6448, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 4AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 6FE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 7FE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 8160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 9160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: 9C50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: AC50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: BC50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151096E rdtsc 7_2_0151096E
            Source: C:\Users\user\Desktop\Quote35664776.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5152Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3000Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\Quote35664776.exe TID: 6240Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exe TID: 7304Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151096E rdtsc 7_2_0151096E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_004176E3 LdrLoadDll,7_2_004176E3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01568158 mov eax, dword ptr fs:[00000030h]7_2_01568158
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01564144 mov eax, dword ptr fs:[00000030h]7_2_01564144
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01564144 mov eax, dword ptr fs:[00000030h]7_2_01564144
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01564144 mov ecx, dword ptr fs:[00000030h]7_2_01564144
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01564144 mov eax, dword ptr fs:[00000030h]7_2_01564144
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01564144 mov eax, dword ptr fs:[00000030h]7_2_01564144
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6154 mov eax, dword ptr fs:[00000030h]7_2_014D6154
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6154 mov eax, dword ptr fs:[00000030h]7_2_014D6154
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CC156 mov eax, dword ptr fs:[00000030h]7_2_014CC156
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4164 mov eax, dword ptr fs:[00000030h]7_2_015A4164
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4164 mov eax, dword ptr fs:[00000030h]7_2_015A4164
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01590115 mov eax, dword ptr fs:[00000030h]7_2_01590115
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157A118 mov ecx, dword ptr fs:[00000030h]7_2_0157A118
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157A118 mov eax, dword ptr fs:[00000030h]7_2_0157A118
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157A118 mov eax, dword ptr fs:[00000030h]7_2_0157A118
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157A118 mov eax, dword ptr fs:[00000030h]7_2_0157A118
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov eax, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov ecx, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov eax, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov eax, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov ecx, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov eax, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov eax, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov ecx, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov eax, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E10E mov ecx, dword ptr fs:[00000030h]7_2_0157E10E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01500124 mov eax, dword ptr fs:[00000030h]7_2_01500124
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E1D0 mov eax, dword ptr fs:[00000030h]7_2_0154E1D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E1D0 mov eax, dword ptr fs:[00000030h]7_2_0154E1D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E1D0 mov ecx, dword ptr fs:[00000030h]7_2_0154E1D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E1D0 mov eax, dword ptr fs:[00000030h]7_2_0154E1D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E1D0 mov eax, dword ptr fs:[00000030h]7_2_0154E1D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015961C3 mov eax, dword ptr fs:[00000030h]7_2_015961C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015961C3 mov eax, dword ptr fs:[00000030h]7_2_015961C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015001F8 mov eax, dword ptr fs:[00000030h]7_2_015001F8
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A61E5 mov eax, dword ptr fs:[00000030h]7_2_015A61E5
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155019F mov eax, dword ptr fs:[00000030h]7_2_0155019F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155019F mov eax, dword ptr fs:[00000030h]7_2_0155019F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155019F mov eax, dword ptr fs:[00000030h]7_2_0155019F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155019F mov eax, dword ptr fs:[00000030h]7_2_0155019F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158C188 mov eax, dword ptr fs:[00000030h]7_2_0158C188
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158C188 mov eax, dword ptr fs:[00000030h]7_2_0158C188
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01510185 mov eax, dword ptr fs:[00000030h]7_2_01510185
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01574180 mov eax, dword ptr fs:[00000030h]7_2_01574180
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01574180 mov eax, dword ptr fs:[00000030h]7_2_01574180
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CA197 mov eax, dword ptr fs:[00000030h]7_2_014CA197
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CA197 mov eax, dword ptr fs:[00000030h]7_2_014CA197
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CA197 mov eax, dword ptr fs:[00000030h]7_2_014CA197
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556050 mov eax, dword ptr fs:[00000030h]7_2_01556050
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D2050 mov eax, dword ptr fs:[00000030h]7_2_014D2050
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FC073 mov eax, dword ptr fs:[00000030h]7_2_014FC073
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01554000 mov ecx, dword ptr fs:[00000030h]7_2_01554000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01572000 mov eax, dword ptr fs:[00000030h]7_2_01572000
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE016 mov eax, dword ptr fs:[00000030h]7_2_014EE016
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE016 mov eax, dword ptr fs:[00000030h]7_2_014EE016
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE016 mov eax, dword ptr fs:[00000030h]7_2_014EE016
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE016 mov eax, dword ptr fs:[00000030h]7_2_014EE016
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01566030 mov eax, dword ptr fs:[00000030h]7_2_01566030
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CA020 mov eax, dword ptr fs:[00000030h]7_2_014CA020
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CC020 mov eax, dword ptr fs:[00000030h]7_2_014CC020
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015520DE mov eax, dword ptr fs:[00000030h]7_2_015520DE
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015120F0 mov ecx, dword ptr fs:[00000030h]7_2_015120F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D80E9 mov eax, dword ptr fs:[00000030h]7_2_014D80E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CA0E3 mov ecx, dword ptr fs:[00000030h]7_2_014CA0E3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015560E0 mov eax, dword ptr fs:[00000030h]7_2_015560E0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CC0F0 mov eax, dword ptr fs:[00000030h]7_2_014CC0F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D208A mov eax, dword ptr fs:[00000030h]7_2_014D208A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015960B8 mov eax, dword ptr fs:[00000030h]7_2_015960B8
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015960B8 mov ecx, dword ptr fs:[00000030h]7_2_015960B8
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C80A0 mov eax, dword ptr fs:[00000030h]7_2_014C80A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015680A8 mov eax, dword ptr fs:[00000030h]7_2_015680A8
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01578350 mov ecx, dword ptr fs:[00000030h]7_2_01578350
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155035C mov eax, dword ptr fs:[00000030h]7_2_0155035C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155035C mov eax, dword ptr fs:[00000030h]7_2_0155035C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155035C mov eax, dword ptr fs:[00000030h]7_2_0155035C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155035C mov ecx, dword ptr fs:[00000030h]7_2_0155035C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155035C mov eax, dword ptr fs:[00000030h]7_2_0155035C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155035C mov eax, dword ptr fs:[00000030h]7_2_0155035C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159A352 mov eax, dword ptr fs:[00000030h]7_2_0159A352
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A634F mov eax, dword ptr fs:[00000030h]7_2_015A634F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01552349 mov eax, dword ptr fs:[00000030h]7_2_01552349
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157437C mov eax, dword ptr fs:[00000030h]7_2_0157437C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A30B mov eax, dword ptr fs:[00000030h]7_2_0150A30B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A30B mov eax, dword ptr fs:[00000030h]7_2_0150A30B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A30B mov eax, dword ptr fs:[00000030h]7_2_0150A30B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CC310 mov ecx, dword ptr fs:[00000030h]7_2_014CC310
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F0310 mov ecx, dword ptr fs:[00000030h]7_2_014F0310
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A8324 mov eax, dword ptr fs:[00000030h]7_2_015A8324
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A8324 mov ecx, dword ptr fs:[00000030h]7_2_015A8324
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A8324 mov eax, dword ptr fs:[00000030h]7_2_015A8324
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A8324 mov eax, dword ptr fs:[00000030h]7_2_015A8324
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015743D4 mov eax, dword ptr fs:[00000030h]7_2_015743D4
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015743D4 mov eax, dword ptr fs:[00000030h]7_2_015743D4
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E3DB mov eax, dword ptr fs:[00000030h]7_2_0157E3DB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E3DB mov eax, dword ptr fs:[00000030h]7_2_0157E3DB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E3DB mov ecx, dword ptr fs:[00000030h]7_2_0157E3DB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157E3DB mov eax, dword ptr fs:[00000030h]7_2_0157E3DB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA3C0 mov eax, dword ptr fs:[00000030h]7_2_014DA3C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA3C0 mov eax, dword ptr fs:[00000030h]7_2_014DA3C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA3C0 mov eax, dword ptr fs:[00000030h]7_2_014DA3C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA3C0 mov eax, dword ptr fs:[00000030h]7_2_014DA3C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA3C0 mov eax, dword ptr fs:[00000030h]7_2_014DA3C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA3C0 mov eax, dword ptr fs:[00000030h]7_2_014DA3C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D83C0 mov eax, dword ptr fs:[00000030h]7_2_014D83C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D83C0 mov eax, dword ptr fs:[00000030h]7_2_014D83C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D83C0 mov eax, dword ptr fs:[00000030h]7_2_014D83C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D83C0 mov eax, dword ptr fs:[00000030h]7_2_014D83C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158C3CD mov eax, dword ptr fs:[00000030h]7_2_0158C3CD
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015563C0 mov eax, dword ptr fs:[00000030h]7_2_015563C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E03E9 mov eax, dword ptr fs:[00000030h]7_2_014E03E9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015063FF mov eax, dword ptr fs:[00000030h]7_2_015063FF
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE3F0 mov eax, dword ptr fs:[00000030h]7_2_014EE3F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE3F0 mov eax, dword ptr fs:[00000030h]7_2_014EE3F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE3F0 mov eax, dword ptr fs:[00000030h]7_2_014EE3F0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F438F mov eax, dword ptr fs:[00000030h]7_2_014F438F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F438F mov eax, dword ptr fs:[00000030h]7_2_014F438F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CE388 mov eax, dword ptr fs:[00000030h]7_2_014CE388
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CE388 mov eax, dword ptr fs:[00000030h]7_2_014CE388
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CE388 mov eax, dword ptr fs:[00000030h]7_2_014CE388
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C8397 mov eax, dword ptr fs:[00000030h]7_2_014C8397
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C8397 mov eax, dword ptr fs:[00000030h]7_2_014C8397
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C8397 mov eax, dword ptr fs:[00000030h]7_2_014C8397
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A625D mov eax, dword ptr fs:[00000030h]7_2_015A625D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158A250 mov eax, dword ptr fs:[00000030h]7_2_0158A250
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158A250 mov eax, dword ptr fs:[00000030h]7_2_0158A250
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6259 mov eax, dword ptr fs:[00000030h]7_2_014D6259
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01558243 mov eax, dword ptr fs:[00000030h]7_2_01558243
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01558243 mov ecx, dword ptr fs:[00000030h]7_2_01558243
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CA250 mov eax, dword ptr fs:[00000030h]7_2_014CA250
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C826B mov eax, dword ptr fs:[00000030h]7_2_014C826B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01580274 mov eax, dword ptr fs:[00000030h]7_2_01580274
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4260 mov eax, dword ptr fs:[00000030h]7_2_014D4260
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4260 mov eax, dword ptr fs:[00000030h]7_2_014D4260
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4260 mov eax, dword ptr fs:[00000030h]7_2_014D4260
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C823B mov eax, dword ptr fs:[00000030h]7_2_014C823B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A62D6 mov eax, dword ptr fs:[00000030h]7_2_015A62D6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA2C3 mov eax, dword ptr fs:[00000030h]7_2_014DA2C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA2C3 mov eax, dword ptr fs:[00000030h]7_2_014DA2C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA2C3 mov eax, dword ptr fs:[00000030h]7_2_014DA2C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA2C3 mov eax, dword ptr fs:[00000030h]7_2_014DA2C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA2C3 mov eax, dword ptr fs:[00000030h]7_2_014DA2C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E02E1 mov eax, dword ptr fs:[00000030h]7_2_014E02E1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E02E1 mov eax, dword ptr fs:[00000030h]7_2_014E02E1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E02E1 mov eax, dword ptr fs:[00000030h]7_2_014E02E1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E284 mov eax, dword ptr fs:[00000030h]7_2_0150E284
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E284 mov eax, dword ptr fs:[00000030h]7_2_0150E284
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01550283 mov eax, dword ptr fs:[00000030h]7_2_01550283
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01550283 mov eax, dword ptr fs:[00000030h]7_2_01550283
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01550283 mov eax, dword ptr fs:[00000030h]7_2_01550283
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E02A0 mov eax, dword ptr fs:[00000030h]7_2_014E02A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E02A0 mov eax, dword ptr fs:[00000030h]7_2_014E02A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015662A0 mov eax, dword ptr fs:[00000030h]7_2_015662A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015662A0 mov ecx, dword ptr fs:[00000030h]7_2_015662A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015662A0 mov eax, dword ptr fs:[00000030h]7_2_015662A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015662A0 mov eax, dword ptr fs:[00000030h]7_2_015662A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015662A0 mov eax, dword ptr fs:[00000030h]7_2_015662A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015662A0 mov eax, dword ptr fs:[00000030h]7_2_015662A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D8550 mov eax, dword ptr fs:[00000030h]7_2_014D8550
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D8550 mov eax, dword ptr fs:[00000030h]7_2_014D8550
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150656A mov eax, dword ptr fs:[00000030h]7_2_0150656A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150656A mov eax, dword ptr fs:[00000030h]7_2_0150656A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150656A mov eax, dword ptr fs:[00000030h]7_2_0150656A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01566500 mov eax, dword ptr fs:[00000030h]7_2_01566500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4500 mov eax, dword ptr fs:[00000030h]7_2_015A4500
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE53E mov eax, dword ptr fs:[00000030h]7_2_014FE53E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE53E mov eax, dword ptr fs:[00000030h]7_2_014FE53E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE53E mov eax, dword ptr fs:[00000030h]7_2_014FE53E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE53E mov eax, dword ptr fs:[00000030h]7_2_014FE53E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE53E mov eax, dword ptr fs:[00000030h]7_2_014FE53E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0535 mov eax, dword ptr fs:[00000030h]7_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0535 mov eax, dword ptr fs:[00000030h]7_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0535 mov eax, dword ptr fs:[00000030h]7_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0535 mov eax, dword ptr fs:[00000030h]7_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0535 mov eax, dword ptr fs:[00000030h]7_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0535 mov eax, dword ptr fs:[00000030h]7_2_014E0535
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A5D0 mov eax, dword ptr fs:[00000030h]7_2_0150A5D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A5D0 mov eax, dword ptr fs:[00000030h]7_2_0150A5D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D65D0 mov eax, dword ptr fs:[00000030h]7_2_014D65D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E5CF mov eax, dword ptr fs:[00000030h]7_2_0150E5CF
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E5CF mov eax, dword ptr fs:[00000030h]7_2_0150E5CF
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE5E7 mov eax, dword ptr fs:[00000030h]7_2_014FE5E7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D25E0 mov eax, dword ptr fs:[00000030h]7_2_014D25E0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C5ED mov eax, dword ptr fs:[00000030h]7_2_0150C5ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C5ED mov eax, dword ptr fs:[00000030h]7_2_0150C5ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E59C mov eax, dword ptr fs:[00000030h]7_2_0150E59C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D2582 mov eax, dword ptr fs:[00000030h]7_2_014D2582
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D2582 mov ecx, dword ptr fs:[00000030h]7_2_014D2582
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01504588 mov eax, dword ptr fs:[00000030h]7_2_01504588
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015505A7 mov eax, dword ptr fs:[00000030h]7_2_015505A7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015505A7 mov eax, dword ptr fs:[00000030h]7_2_015505A7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015505A7 mov eax, dword ptr fs:[00000030h]7_2_015505A7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F45B1 mov eax, dword ptr fs:[00000030h]7_2_014F45B1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F45B1 mov eax, dword ptr fs:[00000030h]7_2_014F45B1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158A456 mov eax, dword ptr fs:[00000030h]7_2_0158A456
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C645D mov eax, dword ptr fs:[00000030h]7_2_014C645D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150E443 mov eax, dword ptr fs:[00000030h]7_2_0150E443
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F245A mov eax, dword ptr fs:[00000030h]7_2_014F245A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155C460 mov ecx, dword ptr fs:[00000030h]7_2_0155C460
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FA470 mov eax, dword ptr fs:[00000030h]7_2_014FA470
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FA470 mov eax, dword ptr fs:[00000030h]7_2_014FA470
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FA470 mov eax, dword ptr fs:[00000030h]7_2_014FA470
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01508402 mov eax, dword ptr fs:[00000030h]7_2_01508402
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01508402 mov eax, dword ptr fs:[00000030h]7_2_01508402
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01508402 mov eax, dword ptr fs:[00000030h]7_2_01508402
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A430 mov eax, dword ptr fs:[00000030h]7_2_0150A430
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CC427 mov eax, dword ptr fs:[00000030h]7_2_014CC427
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CE420 mov eax, dword ptr fs:[00000030h]7_2_014CE420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CE420 mov eax, dword ptr fs:[00000030h]7_2_014CE420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CE420 mov eax, dword ptr fs:[00000030h]7_2_014CE420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01556420 mov eax, dword ptr fs:[00000030h]7_2_01556420
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D04E5 mov ecx, dword ptr fs:[00000030h]7_2_014D04E5
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0158A49A mov eax, dword ptr fs:[00000030h]7_2_0158A49A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015044B0 mov ecx, dword ptr fs:[00000030h]7_2_015044B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155A4B0 mov eax, dword ptr fs:[00000030h]7_2_0155A4B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D64AB mov eax, dword ptr fs:[00000030h]7_2_014D64AB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01554755 mov eax, dword ptr fs:[00000030h]7_2_01554755
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512750 mov eax, dword ptr fs:[00000030h]7_2_01512750
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512750 mov eax, dword ptr fs:[00000030h]7_2_01512750
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155E75D mov eax, dword ptr fs:[00000030h]7_2_0155E75D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0750 mov eax, dword ptr fs:[00000030h]7_2_014D0750
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150674D mov esi, dword ptr fs:[00000030h]7_2_0150674D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150674D mov eax, dword ptr fs:[00000030h]7_2_0150674D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150674D mov eax, dword ptr fs:[00000030h]7_2_0150674D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D8770 mov eax, dword ptr fs:[00000030h]7_2_014D8770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0770 mov eax, dword ptr fs:[00000030h]7_2_014E0770
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01500710 mov eax, dword ptr fs:[00000030h]7_2_01500710
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C700 mov eax, dword ptr fs:[00000030h]7_2_0150C700
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0710 mov eax, dword ptr fs:[00000030h]7_2_014D0710
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154C730 mov eax, dword ptr fs:[00000030h]7_2_0154C730
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150273C mov eax, dword ptr fs:[00000030h]7_2_0150273C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150273C mov ecx, dword ptr fs:[00000030h]7_2_0150273C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150273C mov eax, dword ptr fs:[00000030h]7_2_0150273C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C720 mov eax, dword ptr fs:[00000030h]7_2_0150C720
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C720 mov eax, dword ptr fs:[00000030h]7_2_0150C720
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DC7C0 mov eax, dword ptr fs:[00000030h]7_2_014DC7C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015507C3 mov eax, dword ptr fs:[00000030h]7_2_015507C3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F27ED mov eax, dword ptr fs:[00000030h]7_2_014F27ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F27ED mov eax, dword ptr fs:[00000030h]7_2_014F27ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F27ED mov eax, dword ptr fs:[00000030h]7_2_014F27ED
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155E7E1 mov eax, dword ptr fs:[00000030h]7_2_0155E7E1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D47FB mov eax, dword ptr fs:[00000030h]7_2_014D47FB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D47FB mov eax, dword ptr fs:[00000030h]7_2_014D47FB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157678E mov eax, dword ptr fs:[00000030h]7_2_0157678E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D07AF mov eax, dword ptr fs:[00000030h]7_2_014D07AF
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015847A0 mov eax, dword ptr fs:[00000030h]7_2_015847A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EC640 mov eax, dword ptr fs:[00000030h]7_2_014EC640
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01502674 mov eax, dword ptr fs:[00000030h]7_2_01502674
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A660 mov eax, dword ptr fs:[00000030h]7_2_0150A660
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A660 mov eax, dword ptr fs:[00000030h]7_2_0150A660
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159866E mov eax, dword ptr fs:[00000030h]7_2_0159866E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159866E mov eax, dword ptr fs:[00000030h]7_2_0159866E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E260B mov eax, dword ptr fs:[00000030h]7_2_014E260B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01512619 mov eax, dword ptr fs:[00000030h]7_2_01512619
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E609 mov eax, dword ptr fs:[00000030h]7_2_0154E609
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D262C mov eax, dword ptr fs:[00000030h]7_2_014D262C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014EE627 mov eax, dword ptr fs:[00000030h]7_2_014EE627
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01506620 mov eax, dword ptr fs:[00000030h]7_2_01506620
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01508620 mov eax, dword ptr fs:[00000030h]7_2_01508620
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0150A6C7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A6C7 mov eax, dword ptr fs:[00000030h]7_2_0150A6C7
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015506F1 mov eax, dword ptr fs:[00000030h]7_2_015506F1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015506F1 mov eax, dword ptr fs:[00000030h]7_2_015506F1
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E6F2 mov eax, dword ptr fs:[00000030h]7_2_0154E6F2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E6F2 mov eax, dword ptr fs:[00000030h]7_2_0154E6F2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E6F2 mov eax, dword ptr fs:[00000030h]7_2_0154E6F2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E6F2 mov eax, dword ptr fs:[00000030h]7_2_0154E6F2
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4690 mov eax, dword ptr fs:[00000030h]7_2_014D4690
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4690 mov eax, dword ptr fs:[00000030h]7_2_014D4690
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015066B0 mov eax, dword ptr fs:[00000030h]7_2_015066B0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C6A6 mov eax, dword ptr fs:[00000030h]7_2_0150C6A6
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01550946 mov eax, dword ptr fs:[00000030h]7_2_01550946
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4940 mov eax, dword ptr fs:[00000030h]7_2_015A4940
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155C97C mov eax, dword ptr fs:[00000030h]7_2_0155C97C
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F6962 mov eax, dword ptr fs:[00000030h]7_2_014F6962
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F6962 mov eax, dword ptr fs:[00000030h]7_2_014F6962
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F6962 mov eax, dword ptr fs:[00000030h]7_2_014F6962
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01574978 mov eax, dword ptr fs:[00000030h]7_2_01574978
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01574978 mov eax, dword ptr fs:[00000030h]7_2_01574978
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151096E mov eax, dword ptr fs:[00000030h]7_2_0151096E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151096E mov edx, dword ptr fs:[00000030h]7_2_0151096E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0151096E mov eax, dword ptr fs:[00000030h]7_2_0151096E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155C912 mov eax, dword ptr fs:[00000030h]7_2_0155C912
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C8918 mov eax, dword ptr fs:[00000030h]7_2_014C8918
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C8918 mov eax, dword ptr fs:[00000030h]7_2_014C8918
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E908 mov eax, dword ptr fs:[00000030h]7_2_0154E908
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154E908 mov eax, dword ptr fs:[00000030h]7_2_0154E908
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0156892B mov eax, dword ptr fs:[00000030h]7_2_0156892B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155892A mov eax, dword ptr fs:[00000030h]7_2_0155892A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015049D0 mov eax, dword ptr fs:[00000030h]7_2_015049D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159A9D3 mov eax, dword ptr fs:[00000030h]7_2_0159A9D3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015669C0 mov eax, dword ptr fs:[00000030h]7_2_015669C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA9D0 mov eax, dword ptr fs:[00000030h]7_2_014DA9D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA9D0 mov eax, dword ptr fs:[00000030h]7_2_014DA9D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA9D0 mov eax, dword ptr fs:[00000030h]7_2_014DA9D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA9D0 mov eax, dword ptr fs:[00000030h]7_2_014DA9D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA9D0 mov eax, dword ptr fs:[00000030h]7_2_014DA9D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DA9D0 mov eax, dword ptr fs:[00000030h]7_2_014DA9D0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015029F9 mov eax, dword ptr fs:[00000030h]7_2_015029F9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015029F9 mov eax, dword ptr fs:[00000030h]7_2_015029F9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155E9E0 mov eax, dword ptr fs:[00000030h]7_2_0155E9E0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D09AD mov eax, dword ptr fs:[00000030h]7_2_014D09AD
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D09AD mov eax, dword ptr fs:[00000030h]7_2_014D09AD
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015589B3 mov esi, dword ptr fs:[00000030h]7_2_015589B3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015589B3 mov eax, dword ptr fs:[00000030h]7_2_015589B3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015589B3 mov eax, dword ptr fs:[00000030h]7_2_015589B3
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E29A0 mov eax, dword ptr fs:[00000030h]7_2_014E29A0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01500854 mov eax, dword ptr fs:[00000030h]7_2_01500854
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E2840 mov ecx, dword ptr fs:[00000030h]7_2_014E2840
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4859 mov eax, dword ptr fs:[00000030h]7_2_014D4859
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D4859 mov eax, dword ptr fs:[00000030h]7_2_014D4859
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01566870 mov eax, dword ptr fs:[00000030h]7_2_01566870
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01566870 mov eax, dword ptr fs:[00000030h]7_2_01566870
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155E872 mov eax, dword ptr fs:[00000030h]7_2_0155E872
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155E872 mov eax, dword ptr fs:[00000030h]7_2_0155E872
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155C810 mov eax, dword ptr fs:[00000030h]7_2_0155C810
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150A830 mov eax, dword ptr fs:[00000030h]7_2_0150A830
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157483A mov eax, dword ptr fs:[00000030h]7_2_0157483A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157483A mov eax, dword ptr fs:[00000030h]7_2_0157483A
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2835 mov eax, dword ptr fs:[00000030h]7_2_014F2835
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2835 mov eax, dword ptr fs:[00000030h]7_2_014F2835
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2835 mov eax, dword ptr fs:[00000030h]7_2_014F2835
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2835 mov ecx, dword ptr fs:[00000030h]7_2_014F2835
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2835 mov eax, dword ptr fs:[00000030h]7_2_014F2835
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F2835 mov eax, dword ptr fs:[00000030h]7_2_014F2835
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FE8C0 mov eax, dword ptr fs:[00000030h]7_2_014FE8C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A08C0 mov eax, dword ptr fs:[00000030h]7_2_015A08C0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C8F9 mov eax, dword ptr fs:[00000030h]7_2_0150C8F9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150C8F9 mov eax, dword ptr fs:[00000030h]7_2_0150C8F9
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159A8E4 mov eax, dword ptr fs:[00000030h]7_2_0159A8E4
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155C89D mov eax, dword ptr fs:[00000030h]7_2_0155C89D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0887 mov eax, dword ptr fs:[00000030h]7_2_014D0887
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157EB50 mov eax, dword ptr fs:[00000030h]7_2_0157EB50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A2B57 mov eax, dword ptr fs:[00000030h]7_2_015A2B57
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A2B57 mov eax, dword ptr fs:[00000030h]7_2_015A2B57
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A2B57 mov eax, dword ptr fs:[00000030h]7_2_015A2B57
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A2B57 mov eax, dword ptr fs:[00000030h]7_2_015A2B57
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01584B4B mov eax, dword ptr fs:[00000030h]7_2_01584B4B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01584B4B mov eax, dword ptr fs:[00000030h]7_2_01584B4B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01578B42 mov eax, dword ptr fs:[00000030h]7_2_01578B42
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01566B40 mov eax, dword ptr fs:[00000030h]7_2_01566B40
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01566B40 mov eax, dword ptr fs:[00000030h]7_2_01566B40
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0159AB40 mov eax, dword ptr fs:[00000030h]7_2_0159AB40
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014C8B50 mov eax, dword ptr fs:[00000030h]7_2_014C8B50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014CCB7E mov eax, dword ptr fs:[00000030h]7_2_014CCB7E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154EB1D mov eax, dword ptr fs:[00000030h]7_2_0154EB1D
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_015A4B00 mov eax, dword ptr fs:[00000030h]7_2_015A4B00
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FEB20 mov eax, dword ptr fs:[00000030h]7_2_014FEB20
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FEB20 mov eax, dword ptr fs:[00000030h]7_2_014FEB20
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01598B28 mov eax, dword ptr fs:[00000030h]7_2_01598B28
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01598B28 mov eax, dword ptr fs:[00000030h]7_2_01598B28
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0BCD mov eax, dword ptr fs:[00000030h]7_2_014D0BCD
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0BCD mov eax, dword ptr fs:[00000030h]7_2_014D0BCD
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0BCD mov eax, dword ptr fs:[00000030h]7_2_014D0BCD
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F0BCB mov eax, dword ptr fs:[00000030h]7_2_014F0BCB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F0BCB mov eax, dword ptr fs:[00000030h]7_2_014F0BCB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F0BCB mov eax, dword ptr fs:[00000030h]7_2_014F0BCB
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157EBD0 mov eax, dword ptr fs:[00000030h]7_2_0157EBD0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155CBF0 mov eax, dword ptr fs:[00000030h]7_2_0155CBF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FEBFC mov eax, dword ptr fs:[00000030h]7_2_014FEBFC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D8BF0 mov eax, dword ptr fs:[00000030h]7_2_014D8BF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D8BF0 mov eax, dword ptr fs:[00000030h]7_2_014D8BF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D8BF0 mov eax, dword ptr fs:[00000030h]7_2_014D8BF0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01584BB0 mov eax, dword ptr fs:[00000030h]7_2_01584BB0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01584BB0 mov eax, dword ptr fs:[00000030h]7_2_01584BB0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0BBE mov eax, dword ptr fs:[00000030h]7_2_014E0BBE
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0BBE mov eax, dword ptr fs:[00000030h]7_2_014E0BBE
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0A5B mov eax, dword ptr fs:[00000030h]7_2_014E0A5B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014E0A5B mov eax, dword ptr fs:[00000030h]7_2_014E0A5B
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D6A50 mov eax, dword ptr fs:[00000030h]7_2_014D6A50
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154CA72 mov eax, dword ptr fs:[00000030h]7_2_0154CA72
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0154CA72 mov eax, dword ptr fs:[00000030h]7_2_0154CA72
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0157EA60 mov eax, dword ptr fs:[00000030h]7_2_0157EA60
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150CA6F mov eax, dword ptr fs:[00000030h]7_2_0150CA6F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150CA6F mov eax, dword ptr fs:[00000030h]7_2_0150CA6F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150CA6F mov eax, dword ptr fs:[00000030h]7_2_0150CA6F
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0155CA11 mov eax, dword ptr fs:[00000030h]7_2_0155CA11
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014FEA2E mov eax, dword ptr fs:[00000030h]7_2_014FEA2E
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150CA38 mov eax, dword ptr fs:[00000030h]7_2_0150CA38
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150CA24 mov eax, dword ptr fs:[00000030h]7_2_0150CA24
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F4A35 mov eax, dword ptr fs:[00000030h]7_2_014F4A35
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014F4A35 mov eax, dword ptr fs:[00000030h]7_2_014F4A35
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01504AD0 mov eax, dword ptr fs:[00000030h]7_2_01504AD0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01504AD0 mov eax, dword ptr fs:[00000030h]7_2_01504AD0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014D0AD0 mov eax, dword ptr fs:[00000030h]7_2_014D0AD0
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01526ACC mov eax, dword ptr fs:[00000030h]7_2_01526ACC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01526ACC mov eax, dword ptr fs:[00000030h]7_2_01526ACC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01526ACC mov eax, dword ptr fs:[00000030h]7_2_01526ACC
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150AAEE mov eax, dword ptr fs:[00000030h]7_2_0150AAEE
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_0150AAEE mov eax, dword ptr fs:[00000030h]7_2_0150AAEE
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_01508A90 mov edx, dword ptr fs:[00000030h]7_2_01508A90
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DEA80 mov eax, dword ptr fs:[00000030h]7_2_014DEA80
            Source: C:\Users\user\Desktop\Quote35664776.exeCode function: 7_2_014DEA80 mov eax, dword ptr fs:[00000030h]7_2_014DEA80
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe"
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeProcess created: C:\Users\user\Desktop\Quote35664776.exe "C:\Users\user\Desktop\Quote35664776.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeQueries volume information: C:\Users\user\Desktop\Quote35664776.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quote35664776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.Quote35664776.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping2
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543824 Sample: Quote35664776.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 6 other signatures 2->28 7 Quote35664776.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\Quote35664776.exe.log, ASCII 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 11 powershell.exe 23 7->11         started        14 Quote35664776.exe 7->14         started        signatures5 process6 signatures7 32 Loading BitLocker PowerShell Module 11->32 16 conhost.exe 11->16         started        18 WmiPrvSE.exe 11->18         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Quote35664776.exe42%ReversingLabsByteCode-MSIL.Trojan.SnakeLogger
            Quote35664776.exe100%AviraHEUR/AGEN.1305635
            Quote35664776.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuote35664776.exe, 00000003.00000002.1331118649.0000000002D2D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1543824
            Start date and time:2024-10-28 14:24:05 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 26s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:16
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Quote35664776.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/6@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 94%
            • Number of executed functions: 33
            • Number of non-executed functions: 264
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: Quote35664776.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:25:04API Interceptor4x Sleep call for process: Quote35664776.exe modified
            09:25:05API Interceptor28x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote35664776.exe.log

            Download File
            Process:C:\Users\user\Desktop\Quote35664776.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.380805901110357
            Encrypted:false
            SSDEEP:48:lylWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCZfIfSKRHmOugw1s
            MD5:A6C11D5EB8FF113F746691904CC1C285
            SHA1:85159530ED2933460F7D0793776D5FC2B1FAE500
            SHA-256:7C1AA4858AF77BB1C1ADA78CE4816C4178A74E0A9CCFDB1E7F6A6FA3A08D6A1B
            SHA-512:3460404875D62BD2318704741E443A0EF38352E977EEEE5EC7C39E6FCE9596D7E0F0A401780993697AE21FB68E2B9A9AF3A662667FB9EA48D7DD8E5B6148AF1E
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_auxzxpwz.0ck.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_if0mrgnt.uxi.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_op5bbgn2.ayq.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t32hqeow.beo.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.971865396931729
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:Quote35664776.exe
            File size:733'184 bytes
            MD5:560b914d9a5652a2cd8e91885a866954
            SHA1:e516c3e218ab80245f3f2eb1502a1ecb07e69ba3
            SHA256:bcca185afcdcd92fde60a3d4676f7efd40126e9ce50d9971f7e725bd04b8bfb4
            SHA512:fea75c98468a853a7af9068c28c2342e52ec753d1fabd4b82c23b6198b2cf926912b99b76f99ad24f620b4719f5e93b07f43e04fc05586e5d53ea45b4fbab591
            SSDEEP:12288:mMfzuSQarUz6rgz03UoSLXpY7biYbhvFDmO2saTexUnBq9/RVTrnqo:ms3rBlUoSLuviY1vFDr3xkUxRBnq
            TLSH:54F4231432588FA8F9AC43FF8D307A489BB82447BA95F548BFE451CB5537F920191B2B
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....lc...............0..$..........nB... ...`....@.. ....................................@................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4b426e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x89636CF8 [Fri Jan 16 04:15:52 2043 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xb421a0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x620.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xb2b140x70.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xb22740xb2400001434d72924c196ad46477bcbbb286dFalse0.9764693636044881data7.977991168390122IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xb60000x6200x8002912a0276301ba22f69c7c604e75fd30False0.3369140625data3.4652399053043994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xb80000xc0x200aab9d2a5f853978700819446d943a8aeFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0xb60900x390data0.42653508771929827
            RT_MANIFEST0xb64300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:3
            Start time:09:25:03
            Start date:28/10/2024
            Path:C:\Users\user\Desktop\Quote35664776.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\Quote35664776.exe"
            Imagebase:0x680000
            File size:733'184 bytes
            MD5 hash:560B914D9A5652A2CD8E91885A866954
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:6
            Start time:09:25:04
            Start date:28/10/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quote35664776.exe"
            Imagebase:0x630000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:09:25:04
            Start date:28/10/2024
            Path:C:\Users\user\Desktop\Quote35664776.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\Quote35664776.exe"
            Imagebase:0x8f0000
            File size:733'184 bytes
            MD5 hash:560B914D9A5652A2CD8E91885A866954
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.1359589287.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:8
            Start time:09:25:04
            Start date:28/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x5b0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:09:25:08
            Start date:28/10/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff7fb730000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:8.7%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:57
              Total number of Limit Nodes:6
              execution_graph 17531 cc51596 17532 cc51524 17531->17532 17534 cc51599 17531->17534 17533 cc51552 17532->17533 17537 cc519d9 17532->17537 17541 cc51e2b 17532->17541 17545 cc501cc 17537->17545 17549 cc501d8 17537->17549 17553 cc50006 17541->17553 17557 cc50040 17541->17557 17542 cc51a35 17542->17533 17546 cc501d8 CreateProcessA 17545->17546 17548 cc50423 17546->17548 17548->17548 17550 cc50261 CreateProcessA 17549->17550 17552 cc50423 17550->17552 17552->17552 17554 cc50040 ReadProcessMemory 17553->17554 17556 cc500cf 17554->17556 17556->17542 17558 cc5008b ReadProcessMemory 17557->17558 17560 cc500cf 17558->17560 17560->17542 17508 10c4668 17509 10c467a 17508->17509 17510 10c4686 17509->17510 17512 10c4778 17509->17512 17513 10c479d 17512->17513 17517 10c4888 17513->17517 17521 10c4879 17513->17521 17519 10c48af 17517->17519 17518 10c498c 17519->17518 17525 10c44c4 17519->17525 17523 10c48af 17521->17523 17522 10c498c 17522->17522 17523->17522 17524 10c44c4 CreateActCtxA 17523->17524 17524->17522 17526 10c5918 CreateActCtxA 17525->17526 17528 10c59db 17526->17528 17561 10cd178 17562 10cd1be GetCurrentProcess 17561->17562 17564 10cd209 17562->17564 17565 10cd210 GetCurrentThread 17562->17565 17564->17565 17566 10cd24d GetCurrentProcess 17565->17566 17567 10cd246 17565->17567 17568 10cd283 17566->17568 17567->17566 17569 10cd2ab GetCurrentThreadId 17568->17569 17570 10cd2dc 17569->17570 17571 10cb3b8 17572 10cb3fa 17571->17572 17573 10cb400 GetModuleHandleW 17571->17573 17572->17573 17574 10cb42d 17573->17574 17575 cc527f0 17576 cc527f9 17575->17576 17577 cc5297b 17576->17577 17580 cc52a70 PostMessageW 17576->17580 17582 cc52a68 17576->17582 17581 cc52adc 17580->17581 17581->17576 17583 cc52a70 PostMessageW 17582->17583 17584 cc52adc 17583->17584 17584->17576 17529 10cd3c0 DuplicateHandle 17530 10cd456 17529->17530

              Executed Functions

              Function 0CC53A10 Relevance: .4, Instructions: 396COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbd4fe7304a73f6ae4ea9decc935235824d49bb98811f244b3d01937f7efca47
              • Instruction ID: 27215082f3d6e4cf8e2e71b0ef811e157a83fb54c4ea9b7439de1ffd99cd4433
              • Opcode Fuzzy Hash: fbd4fe7304a73f6ae4ea9decc935235824d49bb98811f244b3d01937f7efca47
              • Instruction Fuzzy Hash: 05E1DF30B013448FDB29DB75C454BAEB7F6AF88640F28446DD5468B2A0DF34E981CB95
              Function 010CD168 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 294 10cd168-10cd207 GetCurrentProcess 298 10cd209-10cd20f 294->298 299 10cd210-10cd244 GetCurrentThread 294->299 298->299 300 10cd24d-10cd281 GetCurrentProcess 299->300 301 10cd246-10cd24c 299->301 303 10cd28a-10cd2a5 call 10cd347 300->303 304 10cd283-10cd289 300->304 301->300 307 10cd2ab-10cd2da GetCurrentThreadId 303->307 304->303 308 10cd2dc-10cd2e2 307->308 309 10cd2e3-10cd345 307->309 308->309
              APIs
              • GetCurrentProcess.KERNEL32 ref: 010CD1F6
              • GetCurrentThread.KERNEL32 ref: 010CD233
              • GetCurrentProcess.KERNEL32 ref: 010CD270
              • GetCurrentThreadId.KERNEL32 ref: 010CD2C9
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 2360cbbc79f4ee17008406aff7481e0f6c887e559aa7320994be386c0b1c0e16
              • Instruction ID: 042a68ca84bdd072f486a1254f99b199796aebc298c4e3397a17581995c928d6
              • Opcode Fuzzy Hash: 2360cbbc79f4ee17008406aff7481e0f6c887e559aa7320994be386c0b1c0e16
              • Instruction Fuzzy Hash: 3F5155B0D003498FDB54DFA9D548B9EBBF2EF88310F208469E459A72A0DB389945CF65
              Function 010CD178 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 316 10cd178-10cd207 GetCurrentProcess 320 10cd209-10cd20f 316->320 321 10cd210-10cd244 GetCurrentThread 316->321 320->321 322 10cd24d-10cd281 GetCurrentProcess 321->322 323 10cd246-10cd24c 321->323 325 10cd28a-10cd2a5 call 10cd347 322->325 326 10cd283-10cd289 322->326 323->322 329 10cd2ab-10cd2da GetCurrentThreadId 325->329 326->325 330 10cd2dc-10cd2e2 329->330 331 10cd2e3-10cd345 329->331 330->331
              APIs
              • GetCurrentProcess.KERNEL32 ref: 010CD1F6
              • GetCurrentThread.KERNEL32 ref: 010CD233
              • GetCurrentProcess.KERNEL32 ref: 010CD270
              • GetCurrentThreadId.KERNEL32 ref: 010CD2C9
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 282379fae7e6cebedd14c95f82c4f5ee0cfb9f353b587cfebe8ed407ba552963
              • Instruction ID: 27896a91dd2950b61dc1e8094452857a9439805dbdc85ab8f3ea5b62446fbd58
              • Opcode Fuzzy Hash: 282379fae7e6cebedd14c95f82c4f5ee0cfb9f353b587cfebe8ed407ba552963
              • Instruction Fuzzy Hash: 665156B0D003498FDB54DFA9D548B9EBBF1EF88314F208469E419A7250DB349945CF65
              Function 0CC501CC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 413 cc501cc-cc5026d 416 cc502a6-cc502c6 413->416 417 cc5026f-cc50279 413->417 424 cc502ff-cc5032e 416->424 425 cc502c8-cc502d2 416->425 417->416 418 cc5027b-cc5027d 417->418 419 cc502a0-cc502a3 418->419 420 cc5027f-cc50289 418->420 419->416 422 cc5028d-cc5029c 420->422 423 cc5028b 420->423 422->422 426 cc5029e 422->426 423->422 431 cc50367-cc50421 CreateProcessA 424->431 432 cc50330-cc5033a 424->432 425->424 427 cc502d4-cc502d6 425->427 426->419 429 cc502f9-cc502fc 427->429 430 cc502d8-cc502e2 427->430 429->424 433 cc502e4 430->433 434 cc502e6-cc502f5 430->434 445 cc50423-cc50429 431->445 446 cc5042a-cc504b0 431->446 432->431 435 cc5033c-cc5033e 432->435 433->434 434->434 436 cc502f7 434->436 437 cc50361-cc50364 435->437 438 cc50340-cc5034a 435->438 436->429 437->431 440 cc5034c 438->440 441 cc5034e-cc5035d 438->441 440->441 441->441 442 cc5035f 441->442 442->437 445->446 456 cc504c0-cc504c4 446->456 457 cc504b2-cc504b6 446->457 458 cc504d4-cc504d8 456->458 459 cc504c6-cc504ca 456->459 457->456 460 cc504b8 457->460 462 cc504e8-cc504ec 458->462 463 cc504da-cc504de 458->463 459->458 461 cc504cc 459->461 460->456 461->458 465 cc504fe-cc50505 462->465 466 cc504ee-cc504f4 462->466 463->462 464 cc504e0 463->464 464->462 467 cc50507-cc50516 465->467 468 cc5051c 465->468 466->465 467->468 469 cc5051d 468->469 469->469
              APIs
              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0CC5040E
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 29f4b890e90c47e60439b2f3ebefaaf53e71a778324e48b7ec87b02f3230d791
              • Instruction ID: bce8f15a7fc3c4c5973bd8ce7463fdaaf1ff68100b8e1f6cd19db2f5fe7633d7
              • Opcode Fuzzy Hash: 29f4b890e90c47e60439b2f3ebefaaf53e71a778324e48b7ec87b02f3230d791
              • Instruction Fuzzy Hash: 52915A71E017598FEB24DF68C881BEDBBB2BF48310F148169E848E7240DB759A85CF95
              Function 0CC501D8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 471 cc501d8-cc5026d 473 cc502a6-cc502c6 471->473 474 cc5026f-cc50279 471->474 481 cc502ff-cc5032e 473->481 482 cc502c8-cc502d2 473->482 474->473 475 cc5027b-cc5027d 474->475 476 cc502a0-cc502a3 475->476 477 cc5027f-cc50289 475->477 476->473 479 cc5028d-cc5029c 477->479 480 cc5028b 477->480 479->479 483 cc5029e 479->483 480->479 488 cc50367-cc50421 CreateProcessA 481->488 489 cc50330-cc5033a 481->489 482->481 484 cc502d4-cc502d6 482->484 483->476 486 cc502f9-cc502fc 484->486 487 cc502d8-cc502e2 484->487 486->481 490 cc502e4 487->490 491 cc502e6-cc502f5 487->491 502 cc50423-cc50429 488->502 503 cc5042a-cc504b0 488->503 489->488 492 cc5033c-cc5033e 489->492 490->491 491->491 493 cc502f7 491->493 494 cc50361-cc50364 492->494 495 cc50340-cc5034a 492->495 493->486 494->488 497 cc5034c 495->497 498 cc5034e-cc5035d 495->498 497->498 498->498 499 cc5035f 498->499 499->494 502->503 513 cc504c0-cc504c4 503->513 514 cc504b2-cc504b6 503->514 515 cc504d4-cc504d8 513->515 516 cc504c6-cc504ca 513->516 514->513 517 cc504b8 514->517 519 cc504e8-cc504ec 515->519 520 cc504da-cc504de 515->520 516->515 518 cc504cc 516->518 517->513 518->515 522 cc504fe-cc50505 519->522 523 cc504ee-cc504f4 519->523 520->519 521 cc504e0 520->521 521->519 524 cc50507-cc50516 522->524 525 cc5051c 522->525 523->522 524->525 526 cc5051d 525->526 526->526
              APIs
              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0CC5040E
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: aedd84146ef88cbcbb5ae45f6ae662bb7fd01d598128f3861e8c974fba800d83
              • Instruction ID: 64daa84a67343b7f9e742b67e46ee6abd63afaa7790ebbd880d61bc5fa05aafb
              • Opcode Fuzzy Hash: aedd84146ef88cbcbb5ae45f6ae662bb7fd01d598128f3861e8c974fba800d83
              • Instruction Fuzzy Hash: E5915A71E017198FEB24DF68C881BEDBBB2BF48310F148169E848E7240DB759A85CF95
              Function 010C44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 528 10c44c4-10c59d9 CreateActCtxA 531 10c59db-10c59e1 528->531 532 10c59e2-10c5a3c 528->532 531->532 539 10c5a3e-10c5a41 532->539 540 10c5a4b-10c5a4f 532->540 539->540 541 10c5a60 540->541 542 10c5a51-10c5a5d 540->542 544 10c5a61 541->544 542->541 544->544
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 010C59C9
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 19118bce8a344ec918d4828e3e2eea790d277d35617ecc8e2ed040209b4a6f6e
              • Instruction ID: 53da8d32f2cf417a645ebff9154ae2ed3351bee25de163f12387435387b5775c
              • Opcode Fuzzy Hash: 19118bce8a344ec918d4828e3e2eea790d277d35617ecc8e2ed040209b4a6f6e
              • Instruction Fuzzy Hash: 4641F171D00729CBEB24DFAAC8847DEBBF5BF48704F20816AD408AB251DB756946CF90
              Function 010C590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 545 10c590d-10c59d9 CreateActCtxA 547 10c59db-10c59e1 545->547 548 10c59e2-10c5a3c 545->548 547->548 555 10c5a3e-10c5a41 548->555 556 10c5a4b-10c5a4f 548->556 555->556 557 10c5a60 556->557 558 10c5a51-10c5a5d 556->558 560 10c5a61 557->560 558->557 560->560
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 010C59C9
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 547b6aec278993e8362013b07e37632d2942565f91d08e4dcd6188a7ad0fd01b
              • Instruction ID: f3d63a77a8f198d4610b8b0e134eeca6106b8202924f1fb4aaf1f94d6a5dadcf
              • Opcode Fuzzy Hash: 547b6aec278993e8362013b07e37632d2942565f91d08e4dcd6188a7ad0fd01b
              • Instruction Fuzzy Hash: 1B41E2B1D00719CBEB24CFAAC8847DEBBF1BF48714F20815AD448AB251DB756946CF50
              Function 0CC50006 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 561 cc50006-cc500cd ReadProcessMemory 565 cc500d6-cc50106 561->565 566 cc500cf-cc500d5 561->566 566->565
              APIs
              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0CC500C0
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 210c95c3e6b2d3f3171f77299f3f1d8ff6b9876f3af455e7f6cd630144566417
              • Instruction ID: e9aabca86aa2572e47581ccd9a75687d29aa5080002c4ae07292917dc15d6ea3
              • Opcode Fuzzy Hash: 210c95c3e6b2d3f3171f77299f3f1d8ff6b9876f3af455e7f6cd630144566417
              • Instruction Fuzzy Hash: 1231AC718053898FDB11CFA9C850AEEBFF4FF4A310F55849ED499AB252C7385805CB61
              Function 010CB38A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 570 10cb38a-10cb3f8 572 10cb3fa-10cb3fd 570->572 573 10cb400-10cb42b GetModuleHandleW 570->573 572->573 574 10cb42d-10cb433 573->574 575 10cb434-10cb448 573->575 574->575
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 010CB41E
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 020e1d846920551f5ed4ca1d082fe9fa7de7e1c053009902bcbcf1082438cb60
              • Instruction ID: 721cf36d6db698ce323819ffb3ab618fc00b038b4ddbd2d9b4e1510de23fe71f
              • Opcode Fuzzy Hash: 020e1d846920551f5ed4ca1d082fe9fa7de7e1c053009902bcbcf1082438cb60
              • Instruction Fuzzy Hash: A2218BB1C053898FDB11CFAAC8416DEFFF0EF49214F15809AC498A7252C339950ACFA1
              Function 010CD3B8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 577 10cd3b8-10cd454 DuplicateHandle 578 10cd45d-10cd47a 577->578 579 10cd456-10cd45c 577->579 579->578
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD447
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: efe2939d24ae204107cd2849ea33918d385783ae7b9354380712fcc20b3645ba
              • Instruction ID: 5a1211c9e26632f4b6431772ffc9d21054bbaca109e8a65b66b718807971b4aa
              • Opcode Fuzzy Hash: efe2939d24ae204107cd2849ea33918d385783ae7b9354380712fcc20b3645ba
              • Instruction Fuzzy Hash: BC21F4B5D002489FDB10CFAAD484AEEBBF4EB48310F14801AE958A3210D375A955CF60
              Function 0CC50040 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 582 cc50040-cc500cd ReadProcessMemory 585 cc500d6-cc50106 582->585 586 cc500cf-cc500d5 582->586 586->585
              APIs
              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0CC500C0
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 9ec26024d2ee86bee84ccb45d7bbe312d2fe725d8aefdfce1f24b51fab6dd56c
              • Instruction ID: a6b20e49a8e41212de4881e1dccba1fcf610324a255d89d996f680dbf427a9be
              • Opcode Fuzzy Hash: 9ec26024d2ee86bee84ccb45d7bbe312d2fe725d8aefdfce1f24b51fab6dd56c
              • Instruction Fuzzy Hash: 76211671D013499FDB10DFAAC881BEEBBF5FF48310F508429E958A7250C7799951CBA4
              Function 010CD3C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 590 10cd3c0-10cd454 DuplicateHandle 591 10cd45d-10cd47a 590->591 592 10cd456-10cd45c 590->592 592->591
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD447
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 6844d73a39e637480402bc03e2bd6efb736b6a8727434c2766d59cebd3956f9a
              • Instruction ID: 81aeca5bc2a7f7dfa0ab04995fd706bf1f29526bf61abce897dc49fd96d75927
              • Opcode Fuzzy Hash: 6844d73a39e637480402bc03e2bd6efb736b6a8727434c2766d59cebd3956f9a
              • Instruction Fuzzy Hash: 8E21E4B5D003499FDB10CFAAD884ADEFBF4EB48320F14801AE958A3350D774A954CFA5
              Function 0CC52A68 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 595 cc52a68-cc52ada PostMessageW 597 cc52ae3-cc52af7 595->597 598 cc52adc-cc52ae2 595->598 598->597
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 0CC52ACD
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 328e2476b249f39ef42dca7dba297259d36737a028e48b9d172e7bf2d86080cd
              • Instruction ID: 5b0b1a83ceaaa5c8268c432d0bc329a46202fbe61e7b6549c7b66aec9576cfd0
              • Opcode Fuzzy Hash: 328e2476b249f39ef42dca7dba297259d36737a028e48b9d172e7bf2d86080cd
              • Instruction Fuzzy Hash: D1113AB58003499FCB20DF99D845BDEFFF8EB48320F148419D458A7210C375A954CFA5
              Function 010CB3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 010CB41E
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: c3b94ba852c4557e35e939e959ec401821eb43e946d13766cd236a0739a66226
              • Instruction ID: 863510133a945440ce416014ea48906f3e6dad773c7d1e28ffa5cef10deb86fc
              • Opcode Fuzzy Hash: c3b94ba852c4557e35e939e959ec401821eb43e946d13766cd236a0739a66226
              • Instruction Fuzzy Hash: 691110B6C003498FDB20DF9AD445BDEFBF8EB88324F10842AD568A7210C779A545CFA1
              Function 0CC52A70 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 0CC52ACD
              Memory Dump Source
              • Source File: 00000003.00000002.1340641472.000000000CC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CC50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_cc50000_Quote35664776.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 0cb48acdfca8a9c04da79965b57f6d8ebe51882a5740329905a0ea271ffe156c
              • Instruction ID: cf2966ada870cea1ab4d8956d8a55970a256275fdf09a3e9a19e70a2adc58f1b
              • Opcode Fuzzy Hash: 0cb48acdfca8a9c04da79965b57f6d8ebe51882a5740329905a0ea271ffe156c
              • Instruction Fuzzy Hash: C911E8B58003499FDB20DF9AD885BDEFBF8EB48320F108419D558A7250C375A994CFA5
              Function 0102D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310372510.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_102d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc1563c4ab70ab9ab7d283931c3ccd000a9271268bc743dc39020d224fe7c0b8
              • Instruction ID: d0942bcd57a9946714e021e8b16a9c0c53e17966e0fdc8a21e00b92b25ab6987
              • Opcode Fuzzy Hash: fc1563c4ab70ab9ab7d283931c3ccd000a9271268bc743dc39020d224fe7c0b8
              • Instruction Fuzzy Hash: 66214571604200DFDB05DF44D9C0B5ABFA5FB88324F20C1ADE9490F246C736E846CBA2
              Function 0103D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310839396.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_103d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5e59b3aa5054c731c639baafa574eb3e85f1ea0d78b1291b62d113da1e2daca
              • Instruction ID: 88c6fdb213bfd28235ef45e4a2ae7570113ba49b6e64545e496153679822b100
              • Opcode Fuzzy Hash: c5e59b3aa5054c731c639baafa574eb3e85f1ea0d78b1291b62d113da1e2daca
              • Instruction Fuzzy Hash: 7221F571604200EFDB55DF94D9C0B15BBA9FBD4324F60C5ADE8894B252C736D446CB61
              Function 0103D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310839396.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_103d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 980e3760dbe37e0493e67e30cad996166fca585215879c17ac8153fc3911ebae
              • Instruction ID: bed27216a4879e9a667086a0e50812ca372a1bbe9181fbe8072b9c73bb2474d9
              • Opcode Fuzzy Hash: 980e3760dbe37e0493e67e30cad996166fca585215879c17ac8153fc3911ebae
              • Instruction Fuzzy Hash: BB21FF756042009FDB15DFA4D984B16FBA9EB84614F60C5A9E88A0B286C336D807CB62
              Function 0103D006 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310839396.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_103d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 735aec0a4daba607c29b35cc8447a2104f04e88e832e9fc3217824867e0a592c
              • Instruction ID: 19800749cdcef959c0c572ab00323b6130fbfe9da02b2d2459a48fcea4b92ff6
              • Opcode Fuzzy Hash: 735aec0a4daba607c29b35cc8447a2104f04e88e832e9fc3217824867e0a592c
              • Instruction Fuzzy Hash: 892183755083809FCB02CF64D994711BFB5EB86314F28C5DAD8898F2A7C33A9816CB62
              Function 0102D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310372510.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_102d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
              • Instruction ID: 88466d778ac860926c2f21f264318978010ab2e5a50facf5881b68e794ad024e
              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
              • Instruction Fuzzy Hash: 1A11E176504280CFDB06CF44D9C0B56BFB2FB84324F24C2A9D8490B257C33AE856CBA1
              Function 0103D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310839396.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_103d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction ID: 5eca651577b715476e2416f6486eb02c8a1571fb67d4944476760a00aa1ff9f6
              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction Fuzzy Hash: 2311BB75504280DFCB06CF54C5C0B15BBA2FB84324F24C6ADD8894B296C33AD40ACB61
              Function 0102D759 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310372510.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_102d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d97210a824b3a3b3b326384283c41b5881590be3478ab0e49e8245e3e4c64235
              • Instruction ID: f0940397e43dc0c3ee09593ea78af1cd9f143de06d35a2c35248dec15f3c1615
              • Opcode Fuzzy Hash: d97210a824b3a3b3b326384283c41b5881590be3478ab0e49e8245e3e4c64235
              • Instruction Fuzzy Hash: 3B01F2310083909AE7604AA5CCC4B6AFFD8EF41225F18C45AED884A282D33C9C44CBB2
              Function 0102D758 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1310372510.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_102d000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6875eb2a69a29b197dab1d9a64a4ea2f2bc61b095c5a63515413e197052acbb3
              • Instruction ID: f4abf36ac5833ae022d987c4035f8f7920192ac7f3175ae4e7eb00a819795142
              • Opcode Fuzzy Hash: 6875eb2a69a29b197dab1d9a64a4ea2f2bc61b095c5a63515413e197052acbb3
              • Instruction Fuzzy Hash: 37F0C2320043909EE7608A0ACC84B62FFE8EF40735F18C49AED484A287C379AC44CBB1

              Non-executed Functions

              Function 010CDA8C Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.1315507085.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_10c0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de764a36a86df1c6347fe9f74aa7823397269f0dd0e92a7ca2059fead3df081a
              • Instruction ID: c51b5886e9ef21d0b0af5bb98d31521f93f29646a2e620f192cb7762088d635f
              • Opcode Fuzzy Hash: de764a36a86df1c6347fe9f74aa7823397269f0dd0e92a7ca2059fead3df081a
              • Instruction Fuzzy Hash: 4DA13C32A002069FCF19DFB4C8445DEBBB2BF85700B1585BEE946AB265DB31D956CF80

              Execution Graph

              Execution Coverage:0.8%
              Dynamic/Decrypted Code Coverage:6.5%
              Signature Coverage:10.2%
              Total number of Nodes:108
              Total number of Limit Nodes:10
              execution_graph 95048 42f763 95049 42f773 95048->95049 95050 42f779 95048->95050 95053 42e683 95050->95053 95052 42f79f 95056 42c813 95053->95056 95055 42e69b 95055->95052 95057 42c830 95056->95057 95058 42c841 RtlAllocateHeap 95057->95058 95058->95055 95059 424c83 95064 424c9c 95059->95064 95060 424d29 95061 424ce4 95067 42e5a3 95061->95067 95064->95060 95064->95061 95065 424d24 95064->95065 95066 42e5a3 RtlFreeHeap 95065->95066 95066->95060 95070 42c863 95067->95070 95069 424cf4 95071 42c87d 95070->95071 95072 42c88e RtlFreeHeap 95071->95072 95072->95069 95157 42bad3 95158 42baed 95157->95158 95161 1512df0 LdrInitializeThunk 95158->95161 95159 42bb15 95161->95159 95162 4248f3 95163 42490f 95162->95163 95164 424937 95163->95164 95165 42494b 95163->95165 95166 42c4e3 NtClose 95164->95166 95167 42c4e3 NtClose 95165->95167 95169 424940 95166->95169 95168 424954 95167->95168 95172 42e6c3 RtlAllocateHeap 95168->95172 95171 42495f 95172->95171 95173 1512b60 LdrInitializeThunk 95073 413a43 95076 42c773 95073->95076 95077 42c790 95076->95077 95080 1512c70 LdrInitializeThunk 95077->95080 95078 413a65 95080->95078 95081 4176e3 95082 417707 95081->95082 95083 417743 LdrLoadDll 95082->95083 95084 41770e 95082->95084 95083->95084 95085 413c23 95089 413c31 95085->95089 95087 413c9c 95088 413ca6 95089->95088 95090 41b333 RtlFreeHeap LdrInitializeThunk 95089->95090 95090->95087 95174 41e3f3 95175 41e419 95174->95175 95179 41e510 95175->95179 95180 42f893 95175->95180 95177 41e4b1 95178 42bb23 LdrInitializeThunk 95177->95178 95177->95179 95178->95179 95181 42f803 95180->95181 95182 42f860 95181->95182 95183 42e683 RtlAllocateHeap 95181->95183 95182->95177 95184 42f83d 95183->95184 95185 42e5a3 RtlFreeHeap 95184->95185 95185->95182 95091 401c64 95092 401c7e 95091->95092 95095 42fc33 95092->95095 95098 42e153 95095->95098 95099 42e179 95098->95099 95108 4074f3 95099->95108 95101 42e18f 95107 401ce9 95101->95107 95111 41b023 95101->95111 95103 42e1ae 95104 42c8b3 ExitProcess 95103->95104 95105 42e1c3 95103->95105 95104->95105 95122 42c8b3 95105->95122 95110 407500 95108->95110 95125 4163a3 95108->95125 95110->95101 95112 41b04f 95111->95112 95143 41af13 95112->95143 95115 41b094 95118 41b0b0 95115->95118 95120 42c4e3 NtClose 95115->95120 95116 41b07c 95117 41b087 95116->95117 95149 42c4e3 95116->95149 95117->95103 95118->95103 95121 41b0a6 95120->95121 95121->95103 95123 42c8d0 95122->95123 95124 42c8e1 ExitProcess 95123->95124 95124->95107 95126 4163c0 95125->95126 95128 4163d6 95126->95128 95129 42cf53 95126->95129 95128->95110 95131 42cf6d 95129->95131 95130 42cf9c 95130->95128 95131->95130 95136 42bb23 95131->95136 95134 42e5a3 RtlFreeHeap 95135 42d015 95134->95135 95135->95128 95137 42bb3d 95136->95137 95140 1512c0a 95137->95140 95138 42bb69 95138->95134 95141 1512c11 95140->95141 95142 1512c1f LdrInitializeThunk 95140->95142 95141->95138 95142->95138 95144 41b009 95143->95144 95145 41af2d 95143->95145 95144->95115 95144->95116 95152 42bbc3 95145->95152 95148 42c4e3 NtClose 95148->95144 95150 42c4fd 95149->95150 95151 42c50e NtClose 95150->95151 95151->95117 95153 42bbdd 95152->95153 95156 15135c0 LdrInitializeThunk 95153->95156 95154 41affd 95154->95148 95156->95154

              Executed Functions

              Function 004176E3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 23 4176e3-41770c call 42f2a3 26 417712-417720 call 42f8a3 23->26 27 41770e-417711 23->27 30 417730-417741 call 42dc23 26->30 31 417722-41772d call 42fb43 26->31 36 417743-417757 LdrLoadDll 30->36 37 41775a-41775d 30->37 31->30 36->37
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417755
              Memory Dump Source
              • Source File: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_Quote35664776.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 282508fb21bd17aca9df835b009d57495aa02ac7e438b1e4d569ef3af68b8a63
              • Instruction ID: 8fc80d6916356d0c54cf78bbd7535e2a4ae66fe1458a93b55015c8d7c175e8d1
              • Opcode Fuzzy Hash: 282508fb21bd17aca9df835b009d57495aa02ac7e438b1e4d569ef3af68b8a63
              • Instruction Fuzzy Hash: 3B015EB5E0020DABDB10EBE1DD42FDEB7789B14308F4041AAE91897280F635EB488B95
              Function 0042C4E3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 43 42c4e3-42c51c call 404873 call 42d733 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C517
              Memory Dump Source
              • Source File: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_Quote35664776.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: e9cdab559d7ec7bf5155d117a313f9e6409ac217aa759235a9e10d3125478c55
              • Instruction ID: 2e7f3fb3884b6e8e9fb0e7dcd219f262dbfc7f4d195fe0be80c2e43ff28bfd8d
              • Opcode Fuzzy Hash: e9cdab559d7ec7bf5155d117a313f9e6409ac217aa759235a9e10d3125478c55
              • Instruction Fuzzy Hash: 30E086366002147BD260FB9AEC01FDB77ACDFC5710F40842AFA4867141CA74B90187F4
              Function 01512B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 57 1512b60-1512b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e387755376a784b68fdc7a6ea670e5b6dc14e94db05f839ef27a5f08da7a75d4
              • Instruction ID: 49507d41a2c41417013409a2b8a43c7e2630286e3e28e15953ecad8202877881
              • Opcode Fuzzy Hash: e387755376a784b68fdc7a6ea670e5b6dc14e94db05f839ef27a5f08da7a75d4
              • Instruction Fuzzy Hash: 4490026320241003410571984415616408AA7E1211B59C421E1014994DCA6589916225
              Function 01512DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 1512df0-1512dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 4d4f2e63c09b76b3fecae46bd644940179ec32dc42b9a9070fe70391bab6b7c5
              • Instruction ID: d0e498f4c4ed81dab651dbdcd76e70d8c6c27462aae41ed5873ea9d73c9e549b
              • Opcode Fuzzy Hash: 4d4f2e63c09b76b3fecae46bd644940179ec32dc42b9a9070fe70391bab6b7c5
              • Instruction Fuzzy Hash: 6190023320141413D111719845057070089A7D1251F99C812E042495CDDB968A52A221
              Function 01512C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 58 1512c70-1512c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 58fef2394b12cbdb2de877cc1da80abace641805ab6a15542c8f1b140ac7e306
              • Instruction ID: 5d50df8cbbee2b2bda7aba468b2dc41503c7f9fb2553242b7c26a2e61193905f
              • Opcode Fuzzy Hash: 58fef2394b12cbdb2de877cc1da80abace641805ab6a15542c8f1b140ac7e306
              • Instruction Fuzzy Hash: 1A90023320149802D1107198840574A0085A7D1311F5DC811E4424A5CDCBD589917221
              Function 015135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 60 15135c0-15135cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f68158959e1618102f68221b5d6e42e58eb3dfc90dea200d8e2e4ced8788f920
              • Instruction ID: a99eb259b985fbca9ff4af18ac9811caae9022af6ffa0c0908f25582513d86bf
              • Opcode Fuzzy Hash: f68158959e1618102f68221b5d6e42e58eb3dfc90dea200d8e2e4ced8788f920
              • Instruction Fuzzy Hash: 7B90023360551402D100719845157061085A7D1211F69C811E042496CDCBD58A5166A2
              Function 0042C863 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 42c863-42c8a4 call 404873 call 42d733 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C89F
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_Quote35664776.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: 4dA
              • API String ID: 3298025750-3697888251
              • Opcode ID: d45dd4416ad7f3a90ec090a28f93a4118255ba9b713096ae3f43c4bfbed4663a
              • Instruction ID: 95c6e1cf8f50921438346b2c019ee274ecc2e822df50c29a14df8959a2e7ed7d
              • Opcode Fuzzy Hash: d45dd4416ad7f3a90ec090a28f93a4118255ba9b713096ae3f43c4bfbed4663a
              • Instruction Fuzzy Hash: C6E06D76604204BBD610EE99DC41FDB73ACEFC4710F00441AF908A7241DA74B911C7F8
              Function 0042C813 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 38 42c813-42c857 call 404873 call 42d733 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E4B1,?,?,00000000,?,0041E4B1,?,?,?), ref: 0042C852
              Memory Dump Source
              • Source File: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_Quote35664776.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: c0c97e144f40e868a9476a0e994ce902a3f535a152f54a84e659e6420cbf2a46
              • Instruction ID: 83fbc1a649b13180b5dbe8e154e75011721def11b2ca418cc7d3df61b031a839
              • Opcode Fuzzy Hash: c0c97e144f40e868a9476a0e994ce902a3f535a152f54a84e659e6420cbf2a46
              • Instruction Fuzzy Hash: 80E06D76204254BBD610EE99DC41EDF77ACEFC5710F00441AF908A7241C770B91187B8
              Function 0042C8B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 42c8b3-42c8ef call 404873 call 42d733 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.1358925300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_Quote35664776.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: a9a4a4c62b58ef0ba244859742880b5ac06f6282b498342e0cc2cdbd9f96dd99
              • Instruction ID: 0334e32139044cfb67a958e5bab765f99ba1e1fbbb8e6fe4313f94219555c775
              • Opcode Fuzzy Hash: a9a4a4c62b58ef0ba244859742880b5ac06f6282b498342e0cc2cdbd9f96dd99
              • Instruction Fuzzy Hash: E7E046362442147BD620AAAADC02F9BB76CDBC5724F40842AFA08A7242C774B905C7E4
              Function 01512C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 53 1512c0a-1512c0f 54 1512c11-1512c18 53->54 55 1512c1f-1512c26 LdrInitializeThunk 53->55
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 73a7da0b9726624f05570fd9b0dffb3a7524c8ec29f26215bfac411abd1eec90
              • Instruction ID: 5c3d6b71e6925bc8e1553948165ea8800bf553775c93212eb37b81c4e41e2c7b
              • Opcode Fuzzy Hash: 73a7da0b9726624f05570fd9b0dffb3a7524c8ec29f26215bfac411abd1eec90
              • Instruction Fuzzy Hash: DAB09B739015D5D6EA12E7A4460971B794077D1715F29C461D3030A45F4778C1D1E275

              Non-executed Functions

              Function 01552349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 4435f38c0a41c2b897add365439d9e0bd15f21fce532626e45f687fdf967654f
              • Instruction ID: 2b4d3c7abe67a87184204e65ecb610cb21cbc106c77bf539cb21be563db15a04
              • Opcode Fuzzy Hash: 4435f38c0a41c2b897add365439d9e0bd15f21fce532626e45f687fdf967654f
              • Instruction Fuzzy Hash: 1A928E71608342EFE761CF29C890B6BB7E8BB84754F14481EFA95DB261D770E844CB92
              Function 01508620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • Thread identifier, xrefs: 0154553A
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015454E2
              • Address of the debug info found in the active list., xrefs: 015454AE, 015454FA
              • double initialized or corrupted critical section, xrefs: 01545508
              • Critical section address, xrefs: 01545425, 015454BC, 01545534
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015454CE
              • Critical section address., xrefs: 01545502
              • corrupted critical section, xrefs: 015454C2
              • undeleted critical section in freed memory, xrefs: 0154542B
              • Invalid debug info address of this critical section, xrefs: 015454B6
              • Critical section debug info address, xrefs: 0154541F, 0154552E
              • 8, xrefs: 015452E3
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0154540A, 01545496, 01545519
              • Thread is in a state in which it cannot own a critical section, xrefs: 01545543
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: d82d780b04a8e09e1f18f1da6a9b3a6a430f48c7696d7b5a2c8019aa76093e4e
              • Instruction ID: 5f34bc8b700b5a792d0c50778f25463c40f39126f440fecc71fdf520166f023f
              • Opcode Fuzzy Hash: d82d780b04a8e09e1f18f1da6a9b3a6a430f48c7696d7b5a2c8019aa76093e4e
              • Instruction Fuzzy Hash: 71818FB0A41349EFDB61CF99C885BEEBBF9BB08714F20411AF505BB250D375A945CB60
              Function 015029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01542602
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015424C0
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0154261F
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01542412
              • @, xrefs: 0154259B
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01542409
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015422E4
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01542498
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01542506
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01542624
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015425EB
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: c5523077acb33f3c3c36a083b245cbc2c7bae3c0c213f3369d92342cceddc4cc
              • Instruction ID: 97fe3236e3c4571f094845e808a80188c94754b3e6097ac87f5fbe79dba17f51
              • Opcode Fuzzy Hash: c5523077acb33f3c3c36a083b245cbc2c7bae3c0c213f3369d92342cceddc4cc
              • Instruction Fuzzy Hash: 780250F1D002299BDB22DB54CD84BEDB7B8BF54314F4045DAE609AB281DB709E84CF69
              Function 01578B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: ab8a40378fb0f01a9389abb25d174497791a4953ff942e1d1309a099682d72f0
              • Instruction ID: b3f5a48c1bd1139a56b09a0724b73b8bbeee87ace86ec0c6d16e73deb9de9ca3
              • Opcode Fuzzy Hash: ab8a40378fb0f01a9389abb25d174497791a4953ff942e1d1309a099682d72f0
              • Instruction Fuzzy Hash: 1151D2716143029BD335CF18D84ABABBBECFF94640F55491EE959CB250E770D504C792
              Function 01580274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 569e304b1296e326b79807d87f41d2740698a3d6792572f60ec757d7632d9470
              • Instruction ID: 9f13fd31d3f9924556f2e5785e2f810c44dd5efbac0bc6c5ad9af34b254a982f
              • Opcode Fuzzy Hash: 569e304b1296e326b79807d87f41d2740698a3d6792572f60ec757d7632d9470
              • Instruction Fuzzy Hash: 52D1FE35600682DFDB22EF69C451AADBBF1FF59714F19804EF445AF2A2C7349949CB20
              Function 015589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01558A3D
              • AVRF: -*- final list of providers -*- , xrefs: 01558B8F
              • VerifierFlags, xrefs: 01558C50
              • VerifierDlls, xrefs: 01558CBD
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01558A67
              • HandleTraces, xrefs: 01558C8F
              • VerifierDebug, xrefs: 01558CA5
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: 87a90cd74e95de4b85a7197702c298f18137c99edb0a8b1faf8d1915c13643fc
              • Instruction ID: 796c9380a979ea89552a5cda7d2afec1fdd6365c899dfbf47e3d98cc1afc5178
              • Opcode Fuzzy Hash: 87a90cd74e95de4b85a7197702c298f18137c99edb0a8b1faf8d1915c13643fc
              • Instruction Fuzzy Hash: E8911671601B02DFD761DFAAC8A0B5A77E9BB94B14F45041EFE416F251E770AC04C791
              Function 014DEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: 3a075b17c6ae53054d6fcfe21a5f3f3a7779ed2a23cf778c5a9a99aa0d6ed8a3
              • Instruction ID: 789607575035adf6f891f272a9f29b483b803c3d2bd739fee0b2f92dcee3c044
              • Opcode Fuzzy Hash: 3a075b17c6ae53054d6fcfe21a5f3f3a7779ed2a23cf778c5a9a99aa0d6ed8a3
              • Instruction Fuzzy Hash: B3A21D74A0562A8BDF75CF19C8987ADBBB5BF85304F1442EAD50DAB260DB309E85CF40
              Function 015063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 898a25ad3723594508a1155ebff48efd9fa0d949b78d30ea30d309193413efe7
              • Instruction ID: fac1644ee7235e42a6e2a7ed0288b89adc6bca5d2f9d274c1cf2c3328e6f5a32
              • Opcode Fuzzy Hash: 898a25ad3723594508a1155ebff48efd9fa0d949b78d30ea30d309193413efe7
              • Instruction Fuzzy Hash: 5A913470B407169FEB26DF98D889BAE7BE1BF50B18F16012DE9106F2D1D7B09901C7A1
              Function 014C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01529A2A
              • apphelp.dll, xrefs: 014C6496
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015299ED
              • minkernel\ntdll\ldrinit.c, xrefs: 01529A11, 01529A3A
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01529A01
              • LdrpInitShimEngine, xrefs: 015299F4, 01529A07, 01529A30
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: 2e7becd326a52228d86b32a75eb17b58854f6657e9809f4fa8eeaee9cbb94c2a
              • Instruction ID: 2719f325f447bcf910dda5550b79f2288b12ce0d0d99624dc3e058892d2f2b43
              • Opcode Fuzzy Hash: 2e7becd326a52228d86b32a75eb17b58854f6657e9809f4fa8eeaee9cbb94c2a
              • Instruction Fuzzy Hash: D55113712083119FE720DF25D885FAB77E8FB94A48F11491EF5959B2B0D770E904CB92
              Function 01502674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 01542165
              • RtlGetAssemblyStorageRoot, xrefs: 01542160, 0154219A, 015421BA
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015421BF
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01542180
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01542178
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0154219F
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: b52baf12fba3c3cfed544601a6417d3a3bafe37fa4107337d7fa84f81810c802
              • Instruction ID: 187c1f1321039db3c85c79cb05e1d15d38c62d64c6ad7e343c1606bb83ae4cd1
              • Opcode Fuzzy Hash: b52baf12fba3c3cfed544601a6417d3a3bafe37fa4107337d7fa84f81810c802
              • Instruction Fuzzy Hash: E5312836F4022577F7228ADA9C85F9F7B78FBE4A94F05005ABA04BF191D6709A00C7A1
              Function 0150C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 0150C6C4
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 015481E5
              • minkernel\ntdll\ldrinit.c, xrefs: 0150C6C3
              • Loading import redirection DLL: '%wZ', xrefs: 01548170
              • minkernel\ntdll\ldrredirect.c, xrefs: 01548181, 015481F5
              • LdrpInitializeImportRedirection, xrefs: 01548177, 015481EB
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: d83e51c99f8b08b7ce5d1325506c07b9e574ac25e1982ba1545be5d63748e8b5
              • Instruction ID: e1cdd8b17fee4c71cbd09c37b96a31a5fe284dab0cab587d2b4c9c52e739ff20
              • Opcode Fuzzy Hash: d83e51c99f8b08b7ce5d1325506c07b9e574ac25e1982ba1545be5d63748e8b5
              • Instruction Fuzzy Hash: 89310271A447069FC220EF6ADD46E1AB7E4FFA4B14F02065DF9416F2A1E670EC04C7A2
              Function 0151096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01512DF0: LdrInitializeThunk.NTDLL ref: 01512DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510D74
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: 5cb319fcf019c4aeaca8eee263344544f87bdd91b5b47c056e3c1cb37f3d9a66
              • Instruction ID: 1fe59d3bfab6e8a35efd98d1591dcc1b16fbfd9abe1a1eda72727af21630ed97
              • Opcode Fuzzy Hash: 5cb319fcf019c4aeaca8eee263344544f87bdd91b5b47c056e3c1cb37f3d9a66
              • Instruction Fuzzy Hash: B7427C75900716DFEB21CF28C881BAAB7F5BF48304F1485AAE989DF245D770A984CF60
              Function 014DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 8ff0a480ec8f6233d5dbd6a6b11f939be5c48ee0e5bea09f151be45b019e72c5
              • Instruction ID: 443ec5996224332a6bab5da28c8d447df61d72cf75289373820fc5496db76a88
              • Opcode Fuzzy Hash: 8ff0a480ec8f6233d5dbd6a6b11f939be5c48ee0e5bea09f151be45b019e72c5
              • Instruction Fuzzy Hash: 5BC19A74108386CFDB11CF68C164B6ABBE4BF84704F14896EF9958B361E734CA4ACB56
              Function 01508402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 01508422
              • minkernel\ntdll\ldrinit.c, xrefs: 01508421
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0150855E
              • @, xrefs: 01508591
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 47adcbc2bab0befa346b847c00ac40ba3e03fc1e68a71b4dbb57575b7e4e4f7d
              • Instruction ID: 4984151b59fcad5817b6716380a0acccef755ae386eed4522f2692db47034080
              • Opcode Fuzzy Hash: 47adcbc2bab0befa346b847c00ac40ba3e03fc1e68a71b4dbb57575b7e4e4f7d
              • Instruction Fuzzy Hash: 7B919F71918745AFE722DFA5CC41FAFBAE8BF94744F40092EF6849A191E331D904CB62
              Function 0150273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 015421DE
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015421D9, 015422B1
              • .Local, xrefs: 015028D8
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015422B6
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 4b62286bd03b39da726100b8e5ea2d9b7d2a57cd56df16c88e4f7d736494fd57
              • Instruction ID: 922e244d1e29443d9763e7ebe5fde03df874a0e7b78ec16539300332e9c6778f
              • Opcode Fuzzy Hash: 4b62286bd03b39da726100b8e5ea2d9b7d2a57cd56df16c88e4f7d736494fd57
              • Instruction Fuzzy Hash: 34A1C735900229DBDB25CF99DC887A9B3B5BF58354F1545EAD908AF291D7309EC0CF90
              Function 01504AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
              Download Yara Rule
              Strings
              • RtlDeactivateActivationContext, xrefs: 01543425, 01543432, 01543451
              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01543437
              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01543456
              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0154342A
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
              • API String ID: 0-1245972979
              • Opcode ID: f4794fbf750712bb08c3b9dad004084db6cbfc9ca5596abb69ee9ae4509c6677
              • Instruction ID: 1b14034645017bc8ad04ffd445ea58bfed560aba66b3bad4d231b3687d6bb9fe
              • Opcode Fuzzy Hash: f4794fbf750712bb08c3b9dad004084db6cbfc9ca5596abb69ee9ae4509c6677
              • Instruction Fuzzy Hash: 90612532600B229BD723CF5DC885B6AB7E5FF90B64F14852DE9559F2A0D730E841CB91
              Function 014D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01530FE5
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01531028
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015310AE
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0153106B
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: d82cde2f26bd6c7058059e73619a3a9ab2b4b24a0dbe94bce0a48fa3b5f47a3d
              • Instruction ID: 9876d5cb5ec6d60e1bab18395244f6ce35aafd9883a385486e4465da7e4352b1
              • Opcode Fuzzy Hash: d82cde2f26bd6c7058059e73619a3a9ab2b4b24a0dbe94bce0a48fa3b5f47a3d
              • Instruction Fuzzy Hash: 8271E1B19043069FDB21DF18C894B9B7FA8BF95764F40046AF9488F29AD334D589CBD2
              Function 014F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • apphelp.dll, xrefs: 014F2462
              • LdrpDynamicShimModule, xrefs: 0153A998
              • minkernel\ntdll\ldrinit.c, xrefs: 0153A9A2
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0153A992
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: 87699fecb00e440ea970e9893795eeab091b2ebecba48c12bba41253172cdced
              • Instruction ID: a12b249f341e34e5a4f0474b0cac2ebcb644200e5fe118d98d901c5f1e467de5
              • Opcode Fuzzy Hash: 87699fecb00e440ea970e9893795eeab091b2ebecba48c12bba41253172cdced
              • Instruction Fuzzy Hash: C7316676600202AFDB319F599885EAE7BB4FBC0B04F17402EE960AF365C7F09946D780
              Function 014E29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 014E3264
              • HEAP[%wZ]: , xrefs: 014E3255
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014E327D
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: 98abe4b4537ddbfc9af554f7f26e4e51faed71748b0f1426c89fe588359fee65
              • Instruction ID: 594d5a9e464e4ba581c2c1c45c82b53ce2497e76d030c604d7e43c4b6f961801
              • Opcode Fuzzy Hash: 98abe4b4537ddbfc9af554f7f26e4e51faed71748b0f1426c89fe588359fee65
              • Instruction Fuzzy Hash: 5D92DF71A042499FDB26CF68C448BAEBBF1FF48311F18805EE859AB361D775A942CF50
              Function 014E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: ac1894de14298987b69d0086b03d7f641ac637a3f2e38567204d7cd98634e2be
              • Instruction ID: cd120a3879275adc9bf4ce274ff1f57de517390bb2afd3a0851f163604a3d9e9
              • Opcode Fuzzy Hash: ac1894de14298987b69d0086b03d7f641ac637a3f2e38567204d7cd98634e2be
              • Instruction Fuzzy Hash: 90F18B30700606DFEB25CF68C898B6AB7F5FF84304F14816AE5669B3A1D774E981CB91
              Function 014F6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: ec0c4383d747d73d8715e42804a5b4b197dfea69588ac166b770e2f1876ee8b6
              • Instruction ID: c4b7cdca6c76842cd87c13c3853b302adbbae203198481b5372339e87b314dcf
              • Opcode Fuzzy Hash: ec0c4383d747d73d8715e42804a5b4b197dfea69588ac166b770e2f1876ee8b6
              • Instruction Fuzzy Hash: 6EC28F716083419FE725CF29C880BABBBE5BFC8754F05892EEA8997361D734D805CB52
              Function 014CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: ef63d5a31b2e46dbc8dd65175afca035d7e1d2d4baefa3d222c2ca2e1cadc8eb
              • Instruction ID: e919587745bd24cdcbc496c14b85dd735d6d1ad78ae4ff1a696fd5edbc5e5204
              • Opcode Fuzzy Hash: ef63d5a31b2e46dbc8dd65175afca035d7e1d2d4baefa3d222c2ca2e1cadc8eb
              • Instruction Fuzzy Hash: B7A17C769012399BDB319F28CC88BAEB7B8FF55710F1005EAD909AB251E7359E84CF50
              Function 014F0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • LdrpCheckModule, xrefs: 0153A117
              • minkernel\ntdll\ldrinit.c, xrefs: 0153A121
              • Failed to allocated memory for shimmed module list, xrefs: 0153A10F
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: 5dc046823d60b9d1c134f6699a7078223a11ab6364b6047821305415178a94c1
              • Instruction ID: 2961bd165e3dd68d0e4549f65fbf4d831726ac235b1166f49e3a2c2cdb378e76
              • Opcode Fuzzy Hash: 5dc046823d60b9d1c134f6699a7078223a11ab6364b6047821305415178a94c1
              • Instruction Fuzzy Hash: CF71F270A006069FDB29DF68C980BBEB7F1FB84704F15402EE552DB366E734AA42CB40
              Function 014E0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-1334570610
              • Opcode ID: 55d13f3fbc62fbd685f4847a0745fd7565104f72a1b634e88bb01efae78f9896
              • Instruction ID: 041d79cfaa53a4df7637dc9335d238c50ef042752f4910077692b7cc9066a572
              • Opcode Fuzzy Hash: 55d13f3fbc62fbd685f4847a0745fd7565104f72a1b634e88bb01efae78f9896
              • Instruction Fuzzy Hash: F86180707103069FDB29CF68C484B6ABBE5FF54705F14855EE4698F2A2D7B0E841CB91
              Function 0150C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • Failed to reallocate the system dirs string !, xrefs: 015482D7
              • minkernel\ntdll\ldrinit.c, xrefs: 015482E8
              • LdrpInitializePerUserWindowsDirectory, xrefs: 015482DE
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: f7cd66f3acac1ffb37a11ecc23ba6ff8c66396e962b182ced4a1140f9cd5b1b4
              • Instruction ID: 2f29b47716a01e7e5d54e7a35898c00a156fd891314909b6f201230dba9895ed
              • Opcode Fuzzy Hash: f7cd66f3acac1ffb37a11ecc23ba6ff8c66396e962b182ced4a1140f9cd5b1b4
              • Instruction Fuzzy Hash: 3C4120B1100701AFC722EFA9DC44B5B77E8BF64B14F014A2EB9549B2A0EB70E804CB91
              Function 0158C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 0158C212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0158C1C5
              • @, xrefs: 0158C1F1
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 16a76a45c3012252687972d606b1bf0c0ee183658072168546cb97bfff169f52
              • Instruction ID: cbadc0d37c6bb7d4fce63b816ff7ecb8a5c11f441a22e23a3eb8987e7ef2090c
              • Opcode Fuzzy Hash: 16a76a45c3012252687972d606b1bf0c0ee183658072168546cb97bfff169f52
              • Instruction Fuzzy Hash: D3416871D0021AEBEF11EBD9C841FEEB7B8BB54710F14416AE64ABB290D7749A44CB60
              Function 01564144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: c3f3ea5191d845326c2838d03e285e8ae066dbc0f64d2ac1e039c36dcec68d72
              • Instruction ID: c0ba579fe4253a2b968759b66f49ce43809f4fd131f520d0862147318e342948
              • Opcode Fuzzy Hash: c3f3ea5191d845326c2838d03e285e8ae066dbc0f64d2ac1e039c36dcec68d72
              • Instruction Fuzzy Hash: 1841F332A00659CBEB26DBA9C844BADBBFCFFA5340F24045AD901EF791D7358941CB90
              Function 01554755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • LdrpCheckRedirection, xrefs: 0155488F
              • minkernel\ntdll\ldrredirect.c, xrefs: 01554899
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01554888
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 2994b04923629059ecb822aa4fe84de883af8c2079ea1dbb9fd90ed368531c40
              • Instruction ID: f93e8468ede03a3cbaf7cd730acb9fc8f8866c71617cce1a27d66bf1bb14a067
              • Opcode Fuzzy Hash: 2994b04923629059ecb822aa4fe84de883af8c2079ea1dbb9fd90ed368531c40
              • Instruction Fuzzy Hash: EE41D132A146519FCBA1CE69D860A2A7BE4BF89A50B06056EED589F311F330D880CB91
              Function 014E0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: 858143545e5212e0b067a69f8e12a6c201aed638aa07247ade861114c7d31d0b
              • Instruction ID: 9eed7ee71f58e284f899ba3fbd1cef087b17f26780773fb677874a4380c38bd2
              • Opcode Fuzzy Hash: 858143545e5212e0b067a69f8e12a6c201aed638aa07247ade861114c7d31d0b
              • Instruction Fuzzy Hash: 2F11DF313241029FDB2DCA29C859B7AB3E4FF90A16F19812EF416CF261EB70D841C751
              Function 015520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • Process initialization failed with status 0x%08lx, xrefs: 015520F3
              • minkernel\ntdll\ldrinit.c, xrefs: 01552104
              • LdrpInitializationFailure, xrefs: 015520FA
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: 5b580ff5f09bc7a2358646ac7f10959d17ba9d6b5f6097990cb85c09d5c36e6d
              • Instruction ID: 6dfb95d8ab0b287631ab2bfdd7a86752d722723ff656a03b7abfef0e50ea2363
              • Opcode Fuzzy Hash: 5b580ff5f09bc7a2358646ac7f10959d17ba9d6b5f6097990cb85c09d5c36e6d
              • Instruction Fuzzy Hash: 50F0C275640309BFE724EA4DDC57FDA37A8FB90B54F65005AFA006F295D2F0AA04CBA1
              Function 014E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: 8473a29792b442578bb21cb6fa614e8f6283b1c6517bb2f5201172cfdacf6fc7
              • Instruction ID: 20d5ad9df0d98e837892d8d64eb252eba2383bcc7411f9734967f166f2cf35e1
              • Opcode Fuzzy Hash: 8473a29792b442578bb21cb6fa614e8f6283b1c6517bb2f5201172cfdacf6fc7
              • Instruction Fuzzy Hash: E8714B71A0014A9FDB01DFA9C994FAEB7F8FF58704F14406AE905EB261EA34ED01CB60
              Function 014DA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Enter, xrefs: 014DAA13
              • LdrResSearchResource Exit, xrefs: 014DAA25
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: e771060dc3b152cfe8b7bd0c314131bf458fcd381a687b77acbd74e7d89f614e
              • Instruction ID: ddb2d96d84cfa648ba0b2180f2de57cc05b0d4c8119245b1b29a335a8fe705f6
              • Opcode Fuzzy Hash: e771060dc3b152cfe8b7bd0c314131bf458fcd381a687b77acbd74e7d89f614e
              • Instruction Fuzzy Hash: 55E19171E002099FEF22CF99C990BAEBBB9BF44310F20052AEA11EB361D7749941CB51
              Function 0159A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: f4cb6c099fa335843ae97d465b8b1167f4b27f987b33436c7f677b624c23165e
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 3EC1AF312043469BEB25CF28C845B6BBBE5BFD4318F184A2DF6968F290D774D505CBA2
              Function 0154E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 227e58d5dec6eb3e8b3bfe7658df8f23bc65a0d3eabc08d28d1bcdc0c39b924b
              • Instruction ID: 3471ee4d86e91885ae7c84da9a240bde98180db080ea41004271d301d432a0e7
              • Opcode Fuzzy Hash: 227e58d5dec6eb3e8b3bfe7658df8f23bc65a0d3eabc08d28d1bcdc0c39b924b
              • Instruction Fuzzy Hash: DA616C71E002099FEB25DFA9C841BADBBF5FB44714F24446EE649EF251D735A900CB50
              Function 015743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: c047237e5feac8eba07b383538f7961e2898a973bf61126de58ce3b07ecff6d1
              • Instruction ID: 427a64f618f36db3bfc9c44e5b67fd3272950f0fa54e9416f9b2302dab77faf8
              • Opcode Fuzzy Hash: c047237e5feac8eba07b383538f7961e2898a973bf61126de58ce3b07ecff6d1
              • Instruction Fuzzy Hash: 1E51F871E0021EAEEB11DFA9DC91EEEBBB9FB54754F10052AE611AB290D6309905CB60
              Function 014D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • kLsE, xrefs: 014D0540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014D063D
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: ab669ea1b5e0cfa650decdc08d6c837ad32ec35f8168c19f9d7044331fc8ac0c
              • Instruction ID: 7fac58530e71fb19f0a4732dc30cf09d41be50cacc63282c0404fd9253d1e486
              • Opcode Fuzzy Hash: ab669ea1b5e0cfa650decdc08d6c837ad32ec35f8168c19f9d7044331fc8ac0c
              • Instruction Fuzzy Hash: 3A51CD715007428FDB24EF29C4646A7BBE4AF85300F10883FFAAA87361E770D545CB92
              Function 014DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 014DA309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 014DA2FB
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 83284639c6b4240da63c4c81baf339d939f36a1e0041f016d721dc5a1330deef
              • Instruction ID: a961f8ac5209e762ba9e4aa92452c7b529058bb499e43b94d98e0d5c8f613508
              • Opcode Fuzzy Hash: 83284639c6b4240da63c4c81baf339d939f36a1e0041f016d721dc5a1330deef
              • Instruction Fuzzy Hash: C141AD30A04649DBEB16CF59C864B6E7BB5FF95700F2440AAE900DF3A1EBB5D941CB50
              Function 0150A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 2ea9990bdabf8540ea8d1d4c721bb5c033f34e57eaee5d83bf55d474439da1f5
              • Instruction ID: 8535d0041c2fc9ab0e95cebd6eef38870f1cc117d4531617ae1e54816d43ac55
              • Opcode Fuzzy Hash: 2ea9990bdabf8540ea8d1d4c721bb5c033f34e57eaee5d83bf55d474439da1f5
              • Instruction Fuzzy Hash: DF01D1B2644700AFE312DF64CE45B2677F8F795715F018939A659CF190E334D904CB46
              Function 014DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 8568c325d11fe8473a53b0450ab659a2783d305034991186c80f6fc624e9de59
              • Instruction ID: 23eba231ca750dfc35b0f65191d1eb5822f1568260c4502927dfd15e54f44d5a
              • Opcode Fuzzy Hash: 8568c325d11fe8473a53b0450ab659a2783d305034991186c80f6fc624e9de59
              • Instruction Fuzzy Hash: 7D826F75E002199FDF25CFA9C8A0BEEBBB1BF49310F14816ED959AB3A1D7309941CB50
              Function 01556420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 3e7d511de10a51ade2da01b028a0afcf3bbceacf6707429e216f5bcfdfade636
              • Instruction ID: 18ad708e5cce694a66d16bf8f6c68bb1e8d1f3539e1b7d7b8c95b3d5aa76d3b6
              • Opcode Fuzzy Hash: 3e7d511de10a51ade2da01b028a0afcf3bbceacf6707429e216f5bcfdfade636
              • Instruction Fuzzy Hash: B8916372940259AFEB21DF95CC95FAE7BB8FF14750F50405AF700AF2A0D675A900CBA0
              Function 0157E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: bea10998b624e9812b21bbc6fd4ae4fbf696c75ef8c441f1a32720ec9acd424c
              • Instruction ID: 531569b949c7962508a47420dc17d5138cae141484620f91c17cd4bd22d776bd
              • Opcode Fuzzy Hash: bea10998b624e9812b21bbc6fd4ae4fbf696c75ef8c441f1a32720ec9acd424c
              • Instruction Fuzzy Hash: 28918371900606BFDB22AFA5EC46FAFBBB9FF95750F100069F505AB260D774A901CB90
              Function 0150A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: 35532bcd539c2c3edfbeae61ef40ce74b258497143fa9a222f8e5e3b1441e7f0
              • Instruction ID: da9074c597d8bd657fc275251c89d691de73a55938021ba2b2cdaad8aa56ebe0
              • Opcode Fuzzy Hash: 35532bcd539c2c3edfbeae61ef40ce74b258497143fa9a222f8e5e3b1441e7f0
              • Instruction Fuzzy Hash: 80716CB5E0020A8FEF28CF99D5907ADBBF1BF99718F14852EE505AB241E7318941CB50
              Function 01574978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: ba5189787ed8236ba72bc9f10e39b83f4f63771a3e9e0c835fcd67da0cf290ff
              • Instruction ID: 8d95ab06f2e35f9e154d192f200c7e3bdddd0be42be658279505a90198465038
              • Opcode Fuzzy Hash: ba5189787ed8236ba72bc9f10e39b83f4f63771a3e9e0c835fcd67da0cf290ff
              • Instruction Fuzzy Hash: 76519472D0022A9BDF11EF99E841ABEBBB5BF14610F05416EE915BF250D7749C01CBE4
              Function 014EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: f3e224d3f127b25b788b8cd7a9be8d2701dce1ad72a660e6882fcd5ae3e53420
              • Instruction ID: 221cf81d4bd85d157d9bac5f4ac41ced8ad1d715c702f71bdc192f5c775fc8db
              • Opcode Fuzzy Hash: f3e224d3f127b25b788b8cd7a9be8d2701dce1ad72a660e6882fcd5ae3e53420
              • Instruction Fuzzy Hash: C541E1725483129BD710DF79D848B6BBBE8AF98705F440A2FF684E7260E674D904C793
              Function 0154C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: cc06fb4228ad3e5fc471e17ce037cc6d0c8232edaa870d4e0e9728770f045068
              • Instruction ID: 1c6e79ff9dd041689425e242b91905ca35adefd48dbfe83ee015e3c2d79445c7
              • Opcode Fuzzy Hash: cc06fb4228ad3e5fc471e17ce037cc6d0c8232edaa870d4e0e9728770f045068
              • Instruction Fuzzy Hash: BB4136B1D0152EABEB21DA50CC84FDEB77CBB95718F0045A5EA08AF150DB709E498FA4
              Function 01566B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 4c4d1f384e670a06dba503587aabaf4e4caf298e2ad92114805d3f8f2ed5b5e2
              • Instruction ID: 84094412a900a4b85885ebc5ceab30ae64a4606df9f9ab8bf83eb0e99528c9e9
              • Opcode Fuzzy Hash: 4c4d1f384e670a06dba503587aabaf4e4caf298e2ad92114805d3f8f2ed5b5e2
              • Instruction Fuzzy Hash: 60310331A00B099EFB22CF69C854BAE7BACFF44704F144029E941AF296DB75E805CBD0
              Function 0154CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: BinaryName
              • API String ID: 0-215506332
              • Opcode ID: 1ffeaa980bba5d69090506e8b2ef0be459978426ef9100d321dc94536d7ec79d
              • Instruction ID: f68376c869e562cd8c69693e4e3858fb13bfff750148467851442010610d659c
              • Opcode Fuzzy Hash: 1ffeaa980bba5d69090506e8b2ef0be459978426ef9100d321dc94536d7ec79d
              • Instruction Fuzzy Hash: F831013690251AAFEB16DB59C845E6FBBB4FFC0768F114169A905AB250D7309E00EBE0
              Function 0155892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0155895E
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: dcbe7510c7bc4eb0f4eb1d902480d7459d66cd85b37564eb2f94ffe063d68e68
              • Instruction ID: ff22ba0ba3c5572655b2eecd81a9c9d99bf88a28a0fd569546972a9194527f3e
              • Opcode Fuzzy Hash: dcbe7510c7bc4eb0f4eb1d902480d7459d66cd85b37564eb2f94ffe063d68e68
              • Instruction Fuzzy Hash: 5F01F7313106119FE7615E978CA4A6A7BB6FFD5654B04041FFE411E561CB206845C792
              Function 01572000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a861bf69bcc76460699740cbdec69c4fb39386fe8e82909026a11a1782a42a1d
              • Instruction ID: 467de483c9391289536c4ab6c69049ac3e7cd921748f0f3ca221dbcee2269d84
              • Opcode Fuzzy Hash: a861bf69bcc76460699740cbdec69c4fb39386fe8e82909026a11a1782a42a1d
              • Instruction Fuzzy Hash: 3142D3326083418FD725CF69D892A6FBBE5BF98300F08092EFA869F250D771D945CB52
              Function 01568158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec96aa00c4454b2482adb74d308ffd8d7ea13eed751d47b80b080f1f7e1d5e1
              • Instruction ID: 59738fa14803961fb12bf29e9ca6806e25dac8cb4930fce458bfeb578bc7c807
              • Opcode Fuzzy Hash: cec96aa00c4454b2482adb74d308ffd8d7ea13eed751d47b80b080f1f7e1d5e1
              • Instruction Fuzzy Hash: C8426D75A003198FEB24CF69C881BADBBF9BF58300F14819AE949EB251D7349D85CF90
              Function 014E2840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d202f344a42fae90b054b31e7086fd6185feec2d3fa335731a9bb1d7b5a90880
              • Instruction ID: 063942133deb59fd885b78a6bf5a2031495f8790486494cf83bdfa77ba5ee1ec
              • Opcode Fuzzy Hash: d202f344a42fae90b054b31e7086fd6185feec2d3fa335731a9bb1d7b5a90880
              • Instruction Fuzzy Hash: CF32CC70A00656AFEB25CF69C854BBEBBF2BFC4304F24451ED5869F284D775AA02CB50
              Function 0157A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e52286efe5031850717379b6e448893e30c0ea031dad119256caaab5ab9aa78f
              • Instruction ID: b533478baac9c0a64d3262a1eb754aac990deec2a36ade8a7f8e01cd28eb6c25
              • Opcode Fuzzy Hash: e52286efe5031850717379b6e448893e30c0ea031dad119256caaab5ab9aa78f
              • Instruction Fuzzy Hash: 8622BE706046618FEB25CF29E09677EBBF1BF44300F0C8859E9968F286E335E452CB61
              Function 014D6A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b31f0195e3b199879d8338ef50f25fca681905fc40b3eca35941d06e99e5f14
              • Instruction ID: 58cb1fc394fbaf02957a92e64fa1f73889528d84cc404654aef22131797bfcde
              • Opcode Fuzzy Hash: 5b31f0195e3b199879d8338ef50f25fca681905fc40b3eca35941d06e99e5f14
              • Instruction Fuzzy Hash: 93327B71A00615CFDF25CF69C490AAEBBF1FF88310F15856AE956AB3A1D734E842CB50
              Function 014F4A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: 7c988e75a13150684b94bda99f84247500eddbf9ef0928f466b3993cc5135a97
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: 66F15F71E0021A9BDB15CF99D580BAFBBF5BF44710F09812EEA05AB355EB74D842CB50
              Function 0156892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7f562595d206910c0752be62c98b6ec7947fea2bd0fbef8c1d434a0aff5b8d4
              • Instruction ID: 0a21f253bcac970496887c8a92eb685a2c91712c0910b3996668ac8b73a37ef7
              • Opcode Fuzzy Hash: b7f562595d206910c0752be62c98b6ec7947fea2bd0fbef8c1d434a0aff5b8d4
              • Instruction Fuzzy Hash: 12D1F171A0070A8BEF15CF69C841AFEB7F9BF88314F188169D955EB241E735E905CBA0
              Function 014D65D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d13c5a5e1ee26c5ed157b2dec4313ba5f19af19af1e176ef4d2188d57d5cd2a4
              • Instruction ID: c80fc268f67de4f02207e5acefad0d9a9f63f561f5dc22e0c0f990a0e053f092
              • Opcode Fuzzy Hash: d13c5a5e1ee26c5ed157b2dec4313ba5f19af19af1e176ef4d2188d57d5cd2a4
              • Instruction Fuzzy Hash: FFE17071508342CFCB15CF28C5A0A6BBBE1FF89314F06896EE9998B361D731E905CB91
              Function 014C8397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3eeb723001b3537c76871d9c236734a2fd9cbab92e12c89f1f2c0a0ce33c0f9
              • Instruction ID: c3dea5ace6f5a485e8717effd237f6191015059ad8af91e563f9afcae5aad5c7
              • Opcode Fuzzy Hash: d3eeb723001b3537c76871d9c236734a2fd9cbab92e12c89f1f2c0a0ce33c0f9
              • Instruction Fuzzy Hash: D8D1F476A002179BDB54CF69C890ABEB7A5BF65B04F04412EE916DF2A0F730E951CB60
              Function 01558243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: e18104f010f68315765f451746c3c4ec35e4e5fa98d79a7d518021de1a43ea45
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: E1B18375A00605AFDB64DF9AC950EAFBFB9FF84344F10445EAE429B790DA34E906CB10
              Function 014E0535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 9610e7b580104c0be27ff4263609ca9515e4585821dddc48c415af558f0c8448
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 8FB127317006469FDB11DBA8C854BBEBBF6BF84300F28415AE5629B391D770ED41CB90
              Function 014D83C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc6ed926fcd53b6c6a78cd486d4eca1c3dfc61ca7e04457690e96b50c91f91b3
              • Instruction ID: 20005f5700a9fcf7360c58d5e6e76e489d6bc5730621c152f73bf901f78e7491
              • Opcode Fuzzy Hash: dc6ed926fcd53b6c6a78cd486d4eca1c3dfc61ca7e04457690e96b50c91f91b3
              • Instruction Fuzzy Hash: 28C14B741083418FD764CF19C494BABBBE5BF98304F44496EE9898B3A1D774E909CF62
              Function 014CC427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45e6e715917011107d81e45f558f9d336acd85e0e2c6b095c117d26933495d11
              • Instruction ID: cc45cdd810e0ca5944140b943a9388eed52cdb72c05bd1b3a214dbfce9bf95b0
              • Opcode Fuzzy Hash: 45e6e715917011107d81e45f558f9d336acd85e0e2c6b095c117d26933495d11
              • Instruction Fuzzy Hash: 29B18374A002668BDB65CF59C990BADB3B1FF54700F0485EED50EEB291EB349D86CB24
              Function 014FE5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc4fa4351d48be25682fe31b92aba2534b9f4ba980d48cbb358b4789f0a715ef
              • Instruction ID: ca69ddcfb6e288654dab554e8ae78c8c6c2cefb0076f3056f623ccd9b397ce40
              • Opcode Fuzzy Hash: dc4fa4351d48be25682fe31b92aba2534b9f4ba980d48cbb358b4789f0a715ef
              • Instruction Fuzzy Hash: 32A1F871E046599FEB22DB98C844BAE7BA4BB40714F06012BEB10BF3A1D7749D41CB92
              Function 01510185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 87b45c050dbdc370b3862dae3c697e240fbdc03568a514406f29e2a6bfc8d715
              • Instruction ID: 74cd5ecd82d8a67ac2ca45c94d59c19f94744995a30f52431ab67f5e78ae02ca
              • Opcode Fuzzy Hash: 87b45c050dbdc370b3862dae3c697e240fbdc03568a514406f29e2a6bfc8d715
              • Instruction Fuzzy Hash: 8AA1E170B006169FEB26CF69C491BAEB7F1FF58318F104029EA159F289DB74E851CB90
              Function 015A4500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 488224c68424952fcfbf6c13ae43b1b34eb8619ee2344523b59baf01f390de5e
              • Instruction ID: 02795a3a907bc055f9e2d887fb2da248ff825ff35e86ab1b1c7fe943a59fcd79
              • Opcode Fuzzy Hash: 488224c68424952fcfbf6c13ae43b1b34eb8619ee2344523b59baf01f390de5e
              • Instruction Fuzzy Hash: 99A1CD72A40652DFC722DF58C980B2EBBE9FF58704F89092DE5859F661C3B0E901CB91
              Function 015A2B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: 4c20b3d5e6128f3a5396394bd1fb8a5cb0c0ec10ca59fcceb075c7e654af273f
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: A2B14871E4061ADFDF29CFA9C881AADBBF5FF48310F54812AE914AB351D730A941CB90
              Function 015560E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d52c989b48f1365fa106c5be82e1d6d6aa02dcb1d487aaf98d94161a77a64862
              • Instruction ID: 1a768241530894e887b1337e697991599a4dcc08b126b71465f75128cd11fde6
              • Opcode Fuzzy Hash: d52c989b48f1365fa106c5be82e1d6d6aa02dcb1d487aaf98d94161a77a64862
              • Instruction Fuzzy Hash: 2191D371D00256AFDB51CFA9D8A0BBEBBB5BF48710F55405AEA00AF351D734E9008BA0
              Function 014EE3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32c1458cae66cc231cc74dda2d69b63235d89cad01efc79151d143275c2f4f4a
              • Instruction ID: 31fd42b21e8f851f48e7e0ec059f030097cdf4a03f8a6c55dd83f1b73240268d
              • Opcode Fuzzy Hash: 32c1458cae66cc231cc74dda2d69b63235d89cad01efc79151d143275c2f4f4a
              • Instruction Fuzzy Hash: 0C915572A00616CFEB24DB99C448B7EBBE1FF94716F05416AE905AF3A0E774D902C750
              Function 01526ACC Relevance: .2, Instructions: 226COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1db0299b6ee77cbd51d283202acb67b0d53315b9b525c746bc67d7af8bfb0bd6
              • Instruction ID: 73ad745f8965df0ceea7c9b345ba2f945126fea3e3845b536b2237faa5547c65
              • Opcode Fuzzy Hash: 1db0299b6ee77cbd51d283202acb67b0d53315b9b525c746bc67d7af8bfb0bd6
              • Instruction Fuzzy Hash: 8281A872E0062A9FDB14CF69C540ABEBBF5FB49700F14452EE845EB680E334D940CB94
              Function 0159AB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: e43befd4090ff83689a1ff04ec05f8c4b0b71afa6be6e35ec827400b946e9815
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: 4A818172A0025A9FDF19CF99C480AAEBBF6FF84310F188569E9169F385D734E901CB51
              Function 0150E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2848ca239ae28f30e1b94aaadd2d671c96856a192a96058100804b421d2225ec
              • Instruction ID: d7da9b6bfb26cc8689fb7b4fb5c925cd641905c213258da972b299c2db8ebd12
              • Opcode Fuzzy Hash: 2848ca239ae28f30e1b94aaadd2d671c96856a192a96058100804b421d2225ec
              • Instruction Fuzzy Hash: 76814471900609EFDB26CFA9C881BDEBBF9FF88354F144829E555AB250D770AC45CB60
              Function 014EC640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c246427ed0e9971b5b3197b475a2f61d184439ba14d3afe3b8dae6fc0741e3d8
              • Instruction ID: 3571d435118ce68f3575c1ab36335a9157379e44d59f7a9f314289b817864103
              • Opcode Fuzzy Hash: c246427ed0e9971b5b3197b475a2f61d184439ba14d3afe3b8dae6fc0741e3d8
              • Instruction Fuzzy Hash: 5B71CE75D006669FCB2A8F59C4947FEBBF0FF98710F15461AE952AB360D3309805CBA0
              Function 015847A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9d5116f7c86e7abd1360e1656af73175ea945c11b0d525754b3cfb375bbfbe9
              • Instruction ID: 70622716ef5f362944d9668fa783d6f4f1eacd98c60413c8ac211c7d0ab218a2
              • Opcode Fuzzy Hash: d9d5116f7c86e7abd1360e1656af73175ea945c11b0d525754b3cfb375bbfbe9
              • Instruction Fuzzy Hash: 9C718E70900606EFDB20EF99D944A9EFBF9FF94700F12815AEA10AF358D7B18A44DB54
              Function 014E260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 593585837946b2297e8b43e1fb8054b11174ef3b8b3febefbab6eb6b5e8b8ad0
              • Instruction ID: 5a497a56421d589139e95d3e15eb0593248d798949a39e6e71ef3e4f614d2754
              • Opcode Fuzzy Hash: 593585837946b2297e8b43e1fb8054b11174ef3b8b3febefbab6eb6b5e8b8ad0
              • Instruction Fuzzy Hash: 4D7103756042429FD312DF28C484F2AB7E9FF84311F0485AAE898CB361DBB4DC46CB91
              Function 0155035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 6794164196d9ef4428f75d063c10133614df2c35cf4b6046d90fd55c1a9b5f90
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 7171727190061AEFDB11DFA9C994EDEBBF8FF94704F10456AE905AB290DB30EA41CB50
              Function 015662A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 508f49babace33c7d5c883c68c34f5c83a2bc8aa7d4afe1b104627c6544489d8
              • Instruction ID: 45515acbc952ce140d908a897e6e4549ac31d14e1a3b8366e797ed724a359166
              • Opcode Fuzzy Hash: 508f49babace33c7d5c883c68c34f5c83a2bc8aa7d4afe1b104627c6544489d8
              • Instruction Fuzzy Hash: 4C71D532200702AFE732DF18C894F5ABBEAFF44761F154918E6568F2A1D775E944CB90
              Function 015A8324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54a5fa8fc0832adca0ed4af89843f986a1c37c36abd4bd64624d840bd5843cc4
              • Instruction ID: a1ecce2a13ffa4e83f6f97ea818eda0e776feaacac4fc1de93f984e21c2748dc
              • Opcode Fuzzy Hash: 54a5fa8fc0832adca0ed4af89843f986a1c37c36abd4bd64624d840bd5843cc4
              • Instruction Fuzzy Hash: 9E712D71E4020ABFEB16DF94CC41FEEBBB8FB04351F504559E610AB290D774AA05CBA0
              Function 0158A250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4c7565c4df7d8e88d1b4497a6c968974a78724952ba3ffc7f26905575fbdf41
              • Instruction ID: 46b559e7839b51bf6b8671ec02c66b32a5efeef090680614fdeefe10f424c44a
              • Opcode Fuzzy Hash: b4c7565c4df7d8e88d1b4497a6c968974a78724952ba3ffc7f26905575fbdf41
              • Instruction Fuzzy Hash: D551A172505712AFDB12EE68C844E5BBBE8FBC5750F01492ABA40EF160E770ED05C7A2
              Function 01578350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 437004e753d2e86e7fdd8d61da680c3bcb824e8108354af4be5db493257f88e4
              • Instruction ID: 02eb0d68cc2624b7157ad0d6cb54da655d830e701a26b19980e91d339d8cb6b2
              • Opcode Fuzzy Hash: 437004e753d2e86e7fdd8d61da680c3bcb824e8108354af4be5db493257f88e4
              • Instruction Fuzzy Hash: CF51C170900706DFD721CF6AD889A6BFBF9BF94714F104A1ED2925B6A0C7B0A545CB90
              Function 0150E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8715ca26fdb4198b91bc70e68b43a16b3773cbbd538b5a0896001935f2587005
              • Instruction ID: 01a88b58378a17bb7438e9d0431e8ad72fb97fe07ef28b2a35758b4019b1b50d
              • Opcode Fuzzy Hash: 8715ca26fdb4198b91bc70e68b43a16b3773cbbd538b5a0896001935f2587005
              • Instruction Fuzzy Hash: DB518F71200A05DFDB23EFA9C985E6AB3F9FF58744F51086EE5428B2A0D734E950CB50
              Function 01574180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c616abe1f483925c03df36b166a916ddba7f698b1964d399e35e982d5f6851f
              • Instruction ID: 01a4b6483b8e47e3c6ec1fa037962820f752b386b24256f6ca6c3f77fbc2b276
              • Opcode Fuzzy Hash: 4c616abe1f483925c03df36b166a916ddba7f698b1964d399e35e982d5f6851f
              • Instruction Fuzzy Hash: A05167716083028FD750DF29E882A6FBBE5BFD8218F44492EF589CB250EB30D945CB52
              Function 014F45B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 18ba994b388f12280f080579a88253e927f6c7535e30bd6933047789bb7eb514
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: F0517C75E0021AABDF15DF98C440BAFBBF5AF45354F08406EEA01AB360DB34DA45CBA4
              Function 0155E9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: 98239632aedf0f43d9f91f5df672e8e1aa8de7f65467f553526f584441dbddca
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: 3151B671D0020AABEF519E94C8A6BAEFBB5FB40325F114667DD126F190D7709F4187A0
              Function 01598B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e8ec89bc7eca867c5758446c25a233898a6c92df0abfc259b31a313b71b5775
              • Instruction ID: 4ff1f5da7ec0fbbacb5382eca80dbd7bedc5a45a85f4ecec128226775b324f32
              • Opcode Fuzzy Hash: 3e8ec89bc7eca867c5758446c25a233898a6c92df0abfc259b31a313b71b5775
              • Instruction Fuzzy Hash: C941D77170164A9BDF25DB2DC894F7FBB9BFF92220F084519E9158F281D734D801C692
              Function 0155CBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b96aa02e2eedea60b82b93a8fcf50719e5d9284b0998cd8e0f73bbcb84aa7515
              • Instruction ID: 47e63327b5190bbf62c615e2f158d680a7140af53476336bd8418567f1579da0
              • Opcode Fuzzy Hash: b96aa02e2eedea60b82b93a8fcf50719e5d9284b0998cd8e0f73bbcb84aa7515
              • Instruction Fuzzy Hash: 1E518C72900316DFCB60DFA9C9909AEBBF9FF58358B11451AD956AB300DB70AA41CB90
              Function 0150A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ade32e400a2574c7d891ddec6c235513b9d6a9d20815c103b6ad089c7d2865d
              • Instruction ID: 5537de3a36690ec544acf6eeee52adc8a410bda8c05fec940b79438f2b347baf
              • Opcode Fuzzy Hash: 2ade32e400a2574c7d891ddec6c235513b9d6a9d20815c103b6ad089c7d2865d
              • Instruction Fuzzy Hash: D44124726407029FDB27EFA99881F6E77AAFB95708F02042DED529F281D7B2D8048751
              Function 0159A9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: ffadf41992873d709272866f5a3020a65ff3e0c03feda0a9bd3a569ffe2b8d44
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: 9B41E7316017169FDF25CF68C984A6EB7E9FF90214B05462EE9128F640EB74ED04C7E2
              Function 015001F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f75ef20d251ed953e1134f67de229643b11658263bc7247008de5959487b3658
              • Instruction ID: 9bf617e717736eb42939ebb2fbd398b06e48b27c9de79505693761fb1e058942
              • Opcode Fuzzy Hash: f75ef20d251ed953e1134f67de229643b11658263bc7247008de5959487b3658
              • Instruction Fuzzy Hash: AB41C932A0021A9BDB12DFD8C440BEEBBB4BF88750F14816AF905EB2C0D7359C41CBA4
              Function 014FEBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a510b05102c057099465379d6ceeb2927e5a3ffd96157f8f99e0a2ef4c28820
              • Instruction ID: 07299e118de0c5209aff31a04d114d75f2f152431aac8b47b902150ce8148bf0
              • Opcode Fuzzy Hash: 6a510b05102c057099465379d6ceeb2927e5a3ffd96157f8f99e0a2ef4c28820
              • Instruction Fuzzy Hash: 2B41B1716003029FD721DF29C888A2BB7E9FF94215F01482FE656D7731DB71E8458B51
              Function 01512750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: e9a28d5cbc6ba7c54e961705f1528aaacba23643d58389bd131d02cfb5a88c17
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: D6517B75A40215CFDB55CF98C480AAEF7F2FF84714F2481A9D916AB355E730AE42CB90
              Function 014D6154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac5cdebbeb651a30fe79337bb17ea49f8cb5514b799a4feefe4780d9d0fe7ae7
              • Instruction ID: 1ff0b0096298bfe5ca642277a4cba5c75c79799c2ba3d34cd4f16d5a933dbd27
              • Opcode Fuzzy Hash: ac5cdebbeb651a30fe79337bb17ea49f8cb5514b799a4feefe4780d9d0fe7ae7
              • Instruction Fuzzy Hash: 9E510370A002069FDF26DB68CC14BA9BBF1FF55314F0582AAE529AB3E1D7749981CF40
              Function 014D0BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 717308f5fccf96ac0159c3caa9459b56ab9a96e2d0530396decbd0fc200b7e62
              • Instruction ID: 6237ce52073ef022329035a9d2dd139e35950034c033a67238e30f4a63c4bd1b
              • Opcode Fuzzy Hash: 717308f5fccf96ac0159c3caa9459b56ab9a96e2d0530396decbd0fc200b7e62
              • Instruction Fuzzy Hash: 0941A372A002299BDF21DF69C945BEE77B4FF55740F0100AAE908AF291D774DE81CB91
              Function 0159866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: f39bf9520435b9798ce714075494805d9590a8f7fae82a153750588329afa6f0
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 4641A675B0010AABDF15DF99CC84AAFBBBABF99600F244069E504AF341D771DD01C7A1
              Function 014D0887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39e4eb021ae33de2f938dbb708f9838ef225bed36c77d3c078a74a21fdc840b5
              • Instruction ID: 52f31cab697d42c2c66f868051ae70c9f910f6513b8a71eff6946c63d3dd4881
              • Opcode Fuzzy Hash: 39e4eb021ae33de2f938dbb708f9838ef225bed36c77d3c078a74a21fdc840b5
              • Instruction Fuzzy Hash: 9841B3B16007029FEB25CF29C5A0926B7F9FF45314F104AAFE54787660E770E846CB90
              Function 014FA470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5659404d5ecbea99f338efd41153d5f6500996f1c500ce3fd1cf586bd723c05b
              • Instruction ID: 22af9cdcea6025b65a714e5ccda853fd92c07d43f9701d47c3932786c8835565
              • Opcode Fuzzy Hash: 5659404d5ecbea99f338efd41153d5f6500996f1c500ce3fd1cf586bd723c05b
              • Instruction Fuzzy Hash: C941E132940606CFDB21CF68C498BAE7BF0FB58310F25116ED625AF3A5DB349905CBA4
              Function 014D8BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc611be227acaa900659df390abfeb76157b04e3b95b935b877413b3ee58bbf6
              • Instruction ID: 8cb46c82732f11732d3d509fc40b50147acb09e7854b2ced049967f3beb818c3
              • Opcode Fuzzy Hash: dc611be227acaa900659df390abfeb76157b04e3b95b935b877413b3ee58bbf6
              • Instruction Fuzzy Hash: DE41FF32A01607CFDB249F59C8A0A6ABBB5FFA4B14F15802FD9219F365C775D842CB90
              Function 014C8918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9f6022b2cc18a8043b254ae9749deadf3edd1bdcece4524c9b33b4560045f8d
              • Instruction ID: f42127f41eb648ee9f4febdc2044b9ec9764d3b04c60758df83c491b1102d193
              • Opcode Fuzzy Hash: f9f6022b2cc18a8043b254ae9749deadf3edd1bdcece4524c9b33b4560045f8d
              • Instruction Fuzzy Hash: 68414E765083169ED312DF658840AABB7E9BF84B54F44092FF985DB260E730DE058BA3
              Function 014CA020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 790d5fb366e08b068858094749eeecf6452cf04e2b10c6c8737a6f8142953695
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 21415C76A00229DBDB11DE1E8480BBEB7B1FB51B95F25806FEA508F291E6328D40C791
              Function 014D09AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 745ae95be303f54ac16c40168646d340fded851174a216a5e1564bf87129f00f
              • Instruction ID: 49bb8afb2051c7bcec07a14b4a63e953dbff7531bff86220b070f284e8d5a9ca
              • Opcode Fuzzy Hash: 745ae95be303f54ac16c40168646d340fded851174a216a5e1564bf87129f00f
              • Instruction Fuzzy Hash: EE415672640601EFDB21CF19C850B26BBF4FF68314F248A6BE449CB361E771E9428B91
              Function 01500710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: c81975e23fe6f852c99b445299e09092e4c2a8db15aba49acbe4c249a760729b
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: 93410675A00605EFDB26CF99C980BAABBF8FF18740B10496DE556DB691D330AA44CB90
              Function 014D262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5b86f2d4a416c5e3123724ad89dcc511502341d0b947af3293cda37832941f9
              • Instruction ID: 21783ebea3ef133d099b9883bb20c5b3c040b62397496d8c562bebfdc2d589e5
              • Opcode Fuzzy Hash: d5b86f2d4a416c5e3123724ad89dcc511502341d0b947af3293cda37832941f9
              • Instruction Fuzzy Hash: 73419CB1501701CFCB22EF69C910A6AB7F1FF95710F1586AEC41A9B3B1DBB09A42CB51
              Function 0150C8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d0727914638a8bad16a988c09b169c4966a69599e5be56c82fef62fbd1ed5ff9
              • Instruction ID: bb5d8ba3914925745aab7df3cc91679f99d7cf3905b902103eb8f288a84361e3
              • Opcode Fuzzy Hash: d0727914638a8bad16a988c09b169c4966a69599e5be56c82fef62fbd1ed5ff9
              • Instruction Fuzzy Hash: DB317AB1A00246DFDB12CFA8C040799BBF0FF4A718F2085AED119EF291D3729942CB90
              Function 015507C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5cd52895eecb880c6e169c3da7f7a8c4afb905f07e8f793e745d7a4ed51ea18
              • Instruction ID: fac9f5a744db4e5b086b6738dd4b0df864e5d9bba762e4f06f1a5ef651258ad6
              • Opcode Fuzzy Hash: d5cd52895eecb880c6e169c3da7f7a8c4afb905f07e8f793e745d7a4ed51ea18
              • Instruction Fuzzy Hash: 10418D715043029FD360DF69C845F9BBBE8FF88754F104A2EF9989B291D7709904CB92
              Function 014C80A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f2c98b180a45ef983e2b99e2f5f4ac5a1731ff9b46dac8ec7a81230f155e47d
              • Instruction ID: 3c543e4ea1fa797c0a425b0b2b6a1496e25dd065f3d0265ec843051213f90b02
              • Opcode Fuzzy Hash: 4f2c98b180a45ef983e2b99e2f5f4ac5a1731ff9b46dac8ec7a81230f155e47d
              • Instruction Fuzzy Hash: ED41C075A05617AFDB41DF59C840AA9B7F1BF94B60F14822FD815AB2A0DB30ED418BD0
              Function 015505A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 949851dd054ea02f21806b6e08c890f75903cce57a1399b810b0c1f6066c9d2c
              • Instruction ID: 1b2e82bdb54ad5bf09f1b007fd86e29fa8fd7996be6d0557a77f28c384f27edf
              • Opcode Fuzzy Hash: 949851dd054ea02f21806b6e08c890f75903cce57a1399b810b0c1f6066c9d2c
              • Instruction Fuzzy Hash: ED41C3726046429FD321DF6CC850A6EB7E9FFC8700F14061EF9949B690E730E905C7A6
              Function 014D4859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aec27c1e30f0b90356974afdec511101d699fdf1b33c7b137e1de28d68bb30b3
              • Instruction ID: a3ea2a37fd514a37179327d652597842ca73695949b067ee46c0bf9975e015a4
              • Opcode Fuzzy Hash: aec27c1e30f0b90356974afdec511101d699fdf1b33c7b137e1de28d68bb30b3
              • Instruction Fuzzy Hash: D341B2302003018FDB25DF2AD8A4B2BBBE9EF90354F1844AEE6958B7B1DB70D955CB51
              Function 014C8B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e050de3ea143aa01ff386b1f0440edaaf0b4c8da5ca0ef795731079471054198
              • Instruction ID: d20458b6b3d4853c2aeada00d922a177d06f8e7168663ca27f3ec8c67db30dbc
              • Opcode Fuzzy Hash: e050de3ea143aa01ff386b1f0440edaaf0b4c8da5ca0ef795731079471054198
              • Instruction Fuzzy Hash: 294192BAE01616CFCB55CF69C98099DB7F1FF99720B10862FD466A73A0DB349901CB40
              Function 014E02E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 666eba67f22499adfd079c640079ec20e2e0deb74c81cfd4220bdb35f754377f
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 72311831A04245AFDB228B69CC44B9FBFE9EF54350F0445ABF465DB362C6B49845CBA0
              Function 0157E3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 740cf1c5dc4c7baf722e5186ee25dafe3fbd8313505304b6ec3bc7f1db02e315
              • Instruction ID: 09793184a7ac1e30f9984e320542fed22bc9f1d7e77c29fd357375caa5248c32
              • Opcode Fuzzy Hash: 740cf1c5dc4c7baf722e5186ee25dafe3fbd8313505304b6ec3bc7f1db02e315
              • Instruction Fuzzy Hash: 51317475750716ABDB229F699C42F6B76E9FB59B50F000069B600AF391DAB4DC01C7A0
              Function 01584B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89df12c79303e4c879c2c3fe8e992340c383fd4bc16c12cbfa18070ac3ee0967
              • Instruction ID: 9407203ebc7e501ca4257c3cf594424b9aeaff2a9dc9ec64d7150f51d2427eea
              • Opcode Fuzzy Hash: 89df12c79303e4c879c2c3fe8e992340c383fd4bc16c12cbfa18070ac3ee0967
              • Instruction Fuzzy Hash: E531AF326056029FC721EF19D880F2AB7E9FF84361F0A446EE9A5AF351D730E944DB91
              Function 014D4260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54fa7ff0a655b2d8a1ff945c4edd9762c420ae9f5c5683ec6dd459a3cfe081b1
              • Instruction ID: e87d44d9e945e8c33410b5726110be1a6d196f76609c12ef1361d2797a66ccd5
              • Opcode Fuzzy Hash: 54fa7ff0a655b2d8a1ff945c4edd9762c420ae9f5c5683ec6dd459a3cfe081b1
              • Instruction Fuzzy Hash: BA41AE71200B45DFDB22CF68C491BAA7BE5BF95714F15842EF69A8B6A0CB70E804CB50
              Function 01584BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 535953f166c5c5500cfc17705cb8b6a7dcd7fde0d68fbc6a1582522869d2eb9c
              • Instruction ID: 72b0146b3a15f6eb967e6c180dcd27058eed67a589927ae5d6d894cd9874aae9
              • Opcode Fuzzy Hash: 535953f166c5c5500cfc17705cb8b6a7dcd7fde0d68fbc6a1582522869d2eb9c
              • Instruction Fuzzy Hash: 8F317C716047028FD720EF29C881F2AB7E9FB84720F06496DE965AF391E770E904CB91
              Function 0154EB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76bf07ab4a6e45806df12570f5f8f8ade9d896b9135c63bf5678cbc7b9ae976c
              • Instruction ID: d0e09bfde0d17d30b50f99462d68051c865de48755d99ac2a45a154a5b2c766b
              • Opcode Fuzzy Hash: 76bf07ab4a6e45806df12570f5f8f8ade9d896b9135c63bf5678cbc7b9ae976c
              • Instruction Fuzzy Hash: 6531C1316016969BF3229B6DCD49F297BD8FB40B48F1D04A4AF459F6E2DB3CD841C224
              Function 015961C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f67237f44455a6de61235df8619331cbf607e3327661c52034649e712292ff4
              • Instruction ID: 2188a66a8a02053bcbfeab2e090905cef68553aa64743bb08219481e21e6d97b
              • Opcode Fuzzy Hash: 5f67237f44455a6de61235df8619331cbf607e3327661c52034649e712292ff4
              • Instruction Fuzzy Hash: B031D076A0021AABDF15DF98C840BAEB7B9FB44B40F4541A9E900AF244D770ED04CBA0
              Function 0157483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2273ebe805d734bc3f5c0c804d363a356c6ebb189ef529d3f08ab5a6ff6c7a4
              • Instruction ID: 87178736cb30fef69a6ce81add1c540a63c211beb779984b30b5832d6368bfc1
              • Opcode Fuzzy Hash: d2273ebe805d734bc3f5c0c804d363a356c6ebb189ef529d3f08ab5a6ff6c7a4
              • Instruction Fuzzy Hash: 50315376A4012DABCF21DF55DC85BDEBBF9BB98350F1100A5E508A7250CB30DE918F90
              Function 014FEB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6568fe1fae80c6b548dc2c9b69895f200d2c894cc6b142fd4d40e383a4d6462f
              • Instruction ID: a80005d92dd12324abf6e5d0649d9d54a8bb8e0d7350b6edcab825001e826cc4
              • Opcode Fuzzy Hash: 6568fe1fae80c6b548dc2c9b69895f200d2c894cc6b142fd4d40e383a4d6462f
              • Instruction Fuzzy Hash: A931C832D00219AFDB21DFA9CC44AAFB7F9EF54750F01442BE616E7370D2709A018BA0
              Function 015960B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f1396ac3d18203db372401b86264a2842c68de233e3d4c4218107b0c0755193
              • Instruction ID: c02661e147e196ea221b63d2f4952aa99a2c17ca13495c714565751a92a3e1f0
              • Opcode Fuzzy Hash: 6f1396ac3d18203db372401b86264a2842c68de233e3d4c4218107b0c0755193
              • Instruction Fuzzy Hash: 5B31F1B2A40606AFDB229FA9C850B6EB7F9BF84754F00406EE505DF352DA70DC059B92
              Function 014D07AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3326b9da177ab21bececd75f144938c16ccd6b12433f315956bdb1b9d21c21b
              • Instruction ID: 78d2dba01ea9e8fbb34c5e367d189b0ebe2d063eb6facb46c7eceed919b9b2f1
              • Opcode Fuzzy Hash: a3326b9da177ab21bececd75f144938c16ccd6b12433f315956bdb1b9d21c21b
              • Instruction Fuzzy Hash: 9731E872A04712DBCB12DE69C8A596B7BA5EFE4650F01452EFD55AB320DA30DC0187E1
              Function 014D8550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c46571baad8e5101ed166e72ad6b7222e4c8ea51759a82f39826cf097e730b1
              • Instruction ID: 9723a6c696fd360987040cf7bfe2e762b26165babca4657c14371604dc9654b8
              • Opcode Fuzzy Hash: 8c46571baad8e5101ed166e72ad6b7222e4c8ea51759a82f39826cf097e730b1
              • Instruction Fuzzy Hash: DA317A716097028FE760CF19C850B2BFBE5FB98B00F55496EE9849B361D770E848CB91
              Function 0150A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: ace7c7e07c9cecaa9432adb6e88b005858c614f5c96fe0a537f74ec64823b4af
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: FA313072B00701AFE765CF6DCD40B5BBBF8BF58654F14492DA55AC7691E630E900CB50
              Function 0157EBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0f28a15e38cdc2421c09a4cd6693c01f74fe909b590f1dca855a21cfb14a7d9
              • Instruction ID: 199e8c2b42bf349c1d170386ed7e72695fd0114295f8c4405cfc975bbe3ebd9e
              • Opcode Fuzzy Hash: c0f28a15e38cdc2421c09a4cd6693c01f74fe909b590f1dca855a21cfb14a7d9
              • Instruction Fuzzy Hash: 5C31CDB5505301CFC721DF19E54685ABBF9FF99614F0589AEE488AF321D330DA44CB92
              Function 014F438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d228cd8bc8d52db77ea484f10f34ae1d11e7f4ae1dd5ca486a28940b1e6bdd33
              • Instruction ID: 9af3ba2bff39fb7f094e74fd662a2626af681b95792a2c2ea2647aba03cb7486
              • Opcode Fuzzy Hash: d228cd8bc8d52db77ea484f10f34ae1d11e7f4ae1dd5ca486a28940b1e6bdd33
              • Instruction Fuzzy Hash: A831A131B006059FD720DFA9C980A6FB7F9BB94304F04852ED245E7765DB30DA45CB50
              Function 014CCB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: f6001016214773b149139ef9f7d003210eb6c0935325adcb8f8f26b6c1c08a6b
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: 3321093BE0025AAAD711DBB9C840BAFFBB5AF25740F05843ADE55EB350E270C90087A0
              Function 014CC156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60e8acc0fbfc3c85ef321cdf725d821c3e3981969c1ec5d6301b4a2e7636e4c1
              • Instruction ID: 58a164659641527d28804d76828d452f6de0c99893df3f7e695d91ad121febf2
              • Opcode Fuzzy Hash: 60e8acc0fbfc3c85ef321cdf725d821c3e3981969c1ec5d6301b4a2e7636e4c1
              • Instruction Fuzzy Hash: D83108735002118BDB31AF68C844B6D77B4FF51314F5881AED9469F392DA78D986CB90
              Function 0158C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 5abcceea28cf2756bed91ec766365b5da1e4904f9893514b7b2c47a6712b8715
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: C9212D3660065366DB25BBD98800AFABBB5FF90711F40801EFA959F5A1E635D990C370
              Function 014CE420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20b5a0ddb6224b43118e683133fb65aeb7d66163b74e9f46bc40dd7874cf043d
              • Instruction ID: ca5e2c6fe0609b788c4255f46e91dd93454fd6022ba55ae4ab6cf90c18c95882
              • Opcode Fuzzy Hash: 20b5a0ddb6224b43118e683133fb65aeb7d66163b74e9f46bc40dd7874cf043d
              • Instruction Fuzzy Hash: D931FC35A0151C9BDB31DF19CC41FEEBBB9EB25B40F0101AAE645BB2A0D7749E818F90
              Function 01504588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 501030dc08a002c65a861e9d942dc9d2cf63c9df9d306acc8dc5206a3e333a7e
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 7F217135A00649EBCB16CFD8C980A9EBBF5FF48714F108169EE159F281E671EA058B90
              Function 015044B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5c188d4c94b504776ce4f7e08e51f997df00a0ffad11faefefd1a6dbda6e15e
              • Instruction ID: 8239a5cd93c70c1928cf6147f9080fdfcb8ce52acc1f929d36bbaec1720a5184
              • Opcode Fuzzy Hash: e5c188d4c94b504776ce4f7e08e51f997df00a0ffad11faefefd1a6dbda6e15e
              • Instruction Fuzzy Hash: 1C21C1726047469BCB22DF58D980B6B77E4FB88760F014A1DFE589F681D731E9008BA2
              Function 014CE388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 86dc5b8a80f2985092cdf031525d842ea72c46cc793748c33130973868ceb671
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: A631AF35600605EFE711CF69C884F6ABBF9FF85754F1045AAE5129B2A1E730ED02CB50
              Function 0154E609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc4897570894822508eb80dc5fef7758d737d14094c13a69608940a3b9d29658
              • Instruction ID: bf18b2ce262e0664d0f6175d8c5eed10e5687abceb5099dfa13296460cf04772
              • Opcode Fuzzy Hash: bc4897570894822508eb80dc5fef7758d737d14094c13a69608940a3b9d29658
              • Instruction Fuzzy Hash: BB318B75A00206DFCB14CF5CD8859AEB7B6FF88708F15445AE80A9F391E775EA40CB90
              Function 015506F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4530c5b454fad13b43a91392c30d6387f3e6316860d9e1997217febaa1697f2c
              • Instruction ID: dd061ef2925b7d004d2513093687f8547266ea1b4d913bd2031a79651fc80b17
              • Opcode Fuzzy Hash: 4530c5b454fad13b43a91392c30d6387f3e6316860d9e1997217febaa1697f2c
              • Instruction Fuzzy Hash: 8A2191759106299BCF21DF59C891ABEB7F8FF48740B51006AF941AB254E738AD41CBA0
              Function 0155019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f1f6ad61040ed2964dac207d1b9b7a966043fb29eba5811e63f98ccc35c6a65
              • Instruction ID: d205f159f65f27d9c7c4511ccd2627a9b915113153139571cc89c0cec203f89e
              • Opcode Fuzzy Hash: 8f1f6ad61040ed2964dac207d1b9b7a966043fb29eba5811e63f98ccc35c6a65
              • Instruction Fuzzy Hash: DF21AB71600605AFD716DF6DC854E6AB7E8FF98780F1400AAF904DB6A0D634ED40CBA4
              Function 01550283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ff418ed156129a20880b5d58a63d1a5c294f3fbed58857a6ffb6e100a83a6dd
              • Instruction ID: bbab7209d920ce797b7f25008b555b8daf47bad58fc27c1567884ed26af54884
              • Opcode Fuzzy Hash: 3ff418ed156129a20880b5d58a63d1a5c294f3fbed58857a6ffb6e100a83a6dd
              • Instruction Fuzzy Hash: 4921C1725042469BD721EF6AD958B5FBBECBFA1340F09045BBD808B2A2D730D905C6A1
              Function 014F2835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c85ce69736e68b967150348d16a22bb583ee46755e5723e505066f31b72a8962
              • Instruction ID: 0341bacf81d4b1dd5af1bd7cadfabfb4737e7547a67010adc24165f80fbcc23f
              • Opcode Fuzzy Hash: c85ce69736e68b967150348d16a22bb583ee46755e5723e505066f31b72a8962
              • Instruction Fuzzy Hash: C021CB316056869BF322576D8D18F153BD4BB81774F1807A9FA609F7F1D7B8C8028150
              Function 0150A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8643a9c3c07679be4b3eafb46192ed7d2eb76a228613f511c4b406b6f79fc5f
              • Instruction ID: 123b5ea71a59fc03de53ae0401eb74255477745818545fc3e49b905b5fb77a9d
              • Opcode Fuzzy Hash: e8643a9c3c07679be4b3eafb46192ed7d2eb76a228613f511c4b406b6f79fc5f
              • Instruction Fuzzy Hash: ED21A979200B019FC726DF69C800B96B7F5BF58B08F24846CA549CFB61E331E842CB94
              Function 0158A49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32fa597a7b6368ca4dc233adb1fb9a012bec693c64fcd42f72b37776010f242e
              • Instruction ID: 8d9e3659c7dedf1bedceecb66d56829685d7a2285ac1dd865c014bb906b3c436
              • Opcode Fuzzy Hash: 32fa597a7b6368ca4dc233adb1fb9a012bec693c64fcd42f72b37776010f242e
              • Instruction Fuzzy Hash: 8A11EC72340B127FEB226659AC41F27BAD9FBD5B60F51042AB718EF190EB70DC0187A5
              Function 01550946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb6284a14b940cd8d51e62f28940829029d9fa182bd54898775c5abfb5d4ab32
              • Instruction ID: f6df67ac246c475c0a1820c0af0246da3b5082db73f5c0c4cc6a69a14cba4100
              • Opcode Fuzzy Hash: eb6284a14b940cd8d51e62f28940829029d9fa182bd54898775c5abfb5d4ab32
              • Instruction Fuzzy Hash: 2D2119B1E00249AFCB50DFAAD8919AEFBF8FF98B00F10012FE405AB254D7709945CB50
              Function 015680A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: d14557a5b207bb10bd41db01ebea8d7c9ca97c43bae9853009bba42de9837658
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 25216D72A00209EFDB129F98CC44BAEBBB9FF98310F204859F951AB251D734D9508B90
              Function 01500124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: b7e31d27bff6ebf1b88bacc49dc04eba5b10671eb9b16fb978ff3c9b1e766489
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: E4119076601606AFE7239B99CC41F9ABBB9FB907A4F104429F6049F1D0D671ED44CB60
              Function 014D8770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6113604334145e5fd545d1f42ad93541c19512f9254a9ceb32564aadb294b0c4
              • Instruction ID: 1eff30e7011b2924368b0f98c1bfce8d752b22dadc1f2d6adbe54ecbb4b61fcb
              • Opcode Fuzzy Hash: 6113604334145e5fd545d1f42ad93541c19512f9254a9ceb32564aadb294b0c4
              • Instruction Fuzzy Hash: 6611B2357006129FDF12CF4EC890A67BBE9AF9A710B19406FEE08DF315D6B2D9028790
              Function 0150AAEE Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction ID: c6b6a4bee031fba0e63e5a4bb853c9fc0bea5cda746e95c3ec0dbed3f4e09e6d
              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
              • Instruction Fuzzy Hash: CA216A72600B41DBD7268F9EC544B6ABBE6FB94B50F14897EE5468B660C630EC01CB40
              Function 014D80E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3fafc331aedf7d278c807330d69caa147992e6178870854729f80cdde2faf87e
              • Instruction ID: b48052301297d61db31cbb0e11b8fd07ed64591d7d0d3016b78b3dec60930632
              • Opcode Fuzzy Hash: 3fafc331aedf7d278c807330d69caa147992e6178870854729f80cdde2faf87e
              • Instruction Fuzzy Hash: 16215E75A00206DFCB14CF68C591A7EBBB5FB89318F24416ED105AB365C771AD0ACB90
              Function 0150674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f61309f00a90a409aa0e701ef1d0a00e9b2b5685cd6b10c99b28d54492fdcefe
              • Instruction ID: fc6e8d890a78562686a38a12edf66587cca0d5fbc77385e7d929f6b8a44e87f3
              • Opcode Fuzzy Hash: f61309f00a90a409aa0e701ef1d0a00e9b2b5685cd6b10c99b28d54492fdcefe
              • Instruction Fuzzy Hash: 22216075500A01EFD7228FA9C841F66B7F8FF84650F44882DE59ACB290DB70B960CB60
              Function 01566870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 03e0b94b675a4fedd05250c862b84a48eb44f0aea48d81de31a836ad2744b4e1
              • Instruction ID: 96df7ee3d2c3f199da4678f57fd405525c43edab5e1c80658d4f7ec38e10b96b
              • Opcode Fuzzy Hash: 03e0b94b675a4fedd05250c862b84a48eb44f0aea48d81de31a836ad2744b4e1
              • Instruction Fuzzy Hash: DB118F32240615AFD722DBAAC940F9A77ECFBA5660F114029F6059F261DB70E901CBE0
              Function 014FE8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 608fdf04a08ee18ba295d12e2b3ebebaae709ec430f74329adabf6bc9281c30e
              • Instruction ID: bcd7d174d5ccb2f5e243a897bce03d86cec8eb295830870fe130fdf0915095b4
              • Opcode Fuzzy Hash: 608fdf04a08ee18ba295d12e2b3ebebaae709ec430f74329adabf6bc9281c30e
              • Instruction Fuzzy Hash: 8F11E5326041149FCB1ADA69CC85E6B7396EFD5671B25492EDA229F3A0E9309812C3A1
              Function 015066B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8058faab2384f042b7bc61e42812250e5909f62ed1aa49e27be9c081d01bbd73
              • Instruction ID: af2488feeb578fb5f69e80f32c11f7802c50f96bd3fe8f705782afc15b00787f
              • Opcode Fuzzy Hash: 8058faab2384f042b7bc61e42812250e5909f62ed1aa49e27be9c081d01bbd73
              • Instruction Fuzzy Hash: 4011CE76A01615EFCB26CF99C584E5ABBF8BF94650B06407ED9069F350E670DD10CB90
              Function 0159A8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 9addc143141164678a08b95503dc12a2966e105e15ef744dabf5c1518ca5c496
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: B311E236A0090AAFDF19CB58C805A9DBBF5FF84210F058269E845AB380E671AD01CB90
              Function 014D0AD0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction ID: d0eb20f3fb894b05a17a9b08e84dff881c0aa9dac4dfc0c1289c3e457086d759
              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
              • Instruction Fuzzy Hash: 6D2106B5A00B059FD3A0CF29C440B52BBF4FB48B20F10492EE98ACBB50E371E814CB90
              Function 0155E7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: 0feba1f81f53ee9ee6003bc11f8098289db10fa3daedca3052195a9ca1b6cea4
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: 3911BF32600601EBEB619B49C862B1AFBE6FB52754F05842FED099F160D730DE41C790
              Function 014F27ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 79244de8fe70aec806b4689ddd773d1cc49b739d49e2d01eb4a0e709d8856eb4
              • Instruction ID: c712a809e43e2a4df49cf1ed0c4aa09fec5702dd0b99f9ed8dc238bc5fe484a6
              • Opcode Fuzzy Hash: 79244de8fe70aec806b4689ddd773d1cc49b739d49e2d01eb4a0e709d8856eb4
              • Instruction Fuzzy Hash: 0D010431205689AFE316A66ED858F2B6B8CFF90754F0500AAFA40CF3A1DA64DC01C261
              Function 014D4690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: deeeb09b2ad4ab4bad4406f5ed34993505b95a2d58bd540f45ab729a1e653c71
              • Instruction ID: 27e5c2db1dabc9459e47c7a47e1b7b7e93c23c9d301c6fe316a9b8a5c86dbd45
              • Opcode Fuzzy Hash: deeeb09b2ad4ab4bad4406f5ed34993505b95a2d58bd540f45ab729a1e653c71
              • Instruction Fuzzy Hash: 1111A076344645AFDF25CF9AD850B577BA4EB96B64F1A411BF9048BBA0C370E840CF60
              Function 015A4B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afa80fdbaa49ea5c2ed9dc1ee7cf435c333373c243901b9f5d414fe901ce3e7e
              • Instruction ID: bae140456658bbaf939dfe1e77eab2247f3cb186f71df32ccc86687c523a28f7
              • Opcode Fuzzy Hash: afa80fdbaa49ea5c2ed9dc1ee7cf435c333373c243901b9f5d414fe901ce3e7e
              • Instruction Fuzzy Hash: 82110632240605DFDB22DAA9D844F1FF7E5FFC4311F594419E6828B290DA70A802C790
              Function 01506620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f782379900340e393e6684bb7f658bea6c8064f86279371d1bb127d8db9cfe6
              • Instruction ID: c647558ea298db07f727a73a86307a201b737d327dd452661342d671b0919813
              • Opcode Fuzzy Hash: 1f782379900340e393e6684bb7f658bea6c8064f86279371d1bb127d8db9cfe6
              • Instruction Fuzzy Hash: 3F11AC76A00616ABDB229F9ACD80B5EFBB8FF84641F540459DA01AB240DB30A9118BA0
              Function 014FEA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ca015a41840e01c8cbb857c77b8e9bff906be50e44de948888fc0bd5be68e13
              • Instruction ID: 8fe0e9f1eb9afd1a63d59032356ab401c876737a27531aa80ffb64f743247fc1
              • Opcode Fuzzy Hash: 6ca015a41840e01c8cbb857c77b8e9bff906be50e44de948888fc0bd5be68e13
              • Instruction Fuzzy Hash: 6A01C0716102099FC725DF59D408F16BBE9FBA1715F22816FE2059B370D770AD4ACB90
              Function 014FE53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 2ca9f16ff085f7374a04fe0a0165275e8106e83fb708021ab0606a2266e4f096
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: 5111C6726016C69BE7239B5C8948B2937D4BB80749F1A14E7DE419B7B2F338C843C252
              Function 0155E75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: 41fa8b99454e1cbcb131a08ce18473eff46b978a11992c950a8b80b77c090623
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: E3012632610546AFE7615F18C912F5AFAE9FF90750F05842AEE08AF160D771DE40C790
              Function 014CA250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: cfd423c8bf637fb753e191e3022e6a5224b01fe7d5b6e6e5ad486ceb0810a597
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 1E01043940473A9BDB718F199840A337BA6EF55B64710852EF8958B3A1E331D401CB60
              Function 015A4940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4ebc55569b3b009d4fea8cb719beda3d8a5f6aec6ade1c70b4f490a341c13b0
              • Instruction ID: f061f0f5ca2ad640b8fe3dfd1eec20486cd7fd088003f9373e7f456a81f6c89c
              • Opcode Fuzzy Hash: a4ebc55569b3b009d4fea8cb719beda3d8a5f6aec6ade1c70b4f490a341c13b0
              • Instruction Fuzzy Hash: EA0126324816019FC332DF5CD804E1AB7E8FB91370B694269E9A99F1A2D770DC21C7C0
              Function 0154E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0c9cfced2df0a313a26d8c0bd3bed65c77f87ae0d6ca8716fd82ccf30cc8ca8
              • Instruction ID: c1c6795bf4782d88d5980513bdf480d25399f91c5f6fead8f485881afe3be6f8
              • Opcode Fuzzy Hash: e0c9cfced2df0a313a26d8c0bd3bed65c77f87ae0d6ca8716fd82ccf30cc8ca8
              • Instruction Fuzzy Hash: 9411C432241641EFDB16EF59CD91F16BBB8FF54B44F1400A9F9059F661C235ED01CA90
              Function 014D6259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b256f5b39897d9c2c229ef934ad2998f4849312f1e8ea27a5bdd27e883f9c24
              • Instruction ID: 30a484aff0b2b4024bc184ee98a2da06f320e448f7ac8411b18b30ac82c42304
              • Opcode Fuzzy Hash: 6b256f5b39897d9c2c229ef934ad2998f4849312f1e8ea27a5bdd27e883f9c24
              • Instruction Fuzzy Hash: 0E117C7154122AABEF26EF64CC52FE9B3B4BF44710F6041D5A319AA1E0DB709E85CF84
              Function 01556050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6bac4a361f4b66b8587b7280635ae833264d1754241e809898c11eceafea041
              • Instruction ID: d12d72e2bc093a7d6af358b2f29c32d009b247d179a2c907259db0d2d5d7d7e1
              • Opcode Fuzzy Hash: e6bac4a361f4b66b8587b7280635ae833264d1754241e809898c11eceafea041
              • Instruction Fuzzy Hash: 37111B72900119ABCB12DB94CC94DDFB7BCFF58254F044166A906AB211EA34AA55CBE0
              Function 014D208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: eb1a131638ccfef640679f00252b3d6c884e9e0de1ee61e542e0bfbd5dd61b8b
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: F801F5736001119BEF128E69D890F5677A6BFD4700F5541ABEE018F266DAB18881C790
              Function 01566500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db6fe498f8a1e92a972dc5702a7965c8a52a895d2e66fde20a925dbd373756b
              • Instruction ID: 1baeb8e766084d1963d5fa45cecd03d30952c933c907fc8eab86666f7bf8cef3
              • Opcode Fuzzy Hash: 0db6fe498f8a1e92a972dc5702a7965c8a52a895d2e66fde20a925dbd373756b
              • Instruction Fuzzy Hash: D511CE326001469FC301CF68C840BA6BBB9BBAA314F488159E8488F325D732E880CBE1
              Function 0155C810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5826db0820ad9186da5d5ce8a17d51ac45f451ca23dc6d2cd7f0623efe475b79
              • Instruction ID: faddf2b2cd564c8b36a61c375dec52cbdda9cca9a6e2f934cf27d7ea9e537263
              • Opcode Fuzzy Hash: 5826db0820ad9186da5d5ce8a17d51ac45f451ca23dc6d2cd7f0623efe475b79
              • Instruction Fuzzy Hash: 171118B1A0020A9FCB00DFA9D545AAEBBF8FF58350F10406AA905EB351D674EA018BA4
              Function 0157EA60 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7cc5e2f7e4a301896dd003a2cf19df3a55e1ec93e77faa4fbab9abfc074d5b9f
              • Instruction ID: 79d44f52a37bb3260e26319ccff0522c35f2c6c2eff5cd00a765e951f8a53abe
              • Opcode Fuzzy Hash: 7cc5e2f7e4a301896dd003a2cf19df3a55e1ec93e77faa4fbab9abfc074d5b9f
              • Instruction Fuzzy Hash: 2D01B1311403119FC732BE1A954ED6ABBF9FF61651B0588AEE1455F221CBB0DC41CB91
              Function 014CC020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 508c693808cd85fc5b14325b54fa548e05793d8f52bf13ec046154ca97d27378
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 1D01B972200B459FEB22D6AAC440E6777E9FFD6610F05481EE5568B690DAB0E402C750
              Function 015120F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21412e5b54b1f6110e40124cae6717f23f239ca6af1b282df11ef3c34d16a5e1
              • Instruction ID: 9a93b58dfd60f5293e712c9feb8bd03f37bd92dd5a6fff8a2ffe74d605a8e819
              • Opcode Fuzzy Hash: 21412e5b54b1f6110e40124cae6717f23f239ca6af1b282df11ef3c34d16a5e1
              • Instruction Fuzzy Hash: 2B116D75A0024DAFDB06EF64C851EAE7BB9FB84744F104059E9029B254D735AE11CB90
              Function 0150E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 743d4944465fbe52610ac442b222ce13b0803e9d0c7529e719c7359642f9c97b
              • Instruction ID: 4df38d51aa7aa02970b80872918954012fd4984d666f2209321de21ed46d6075
              • Opcode Fuzzy Hash: 743d4944465fbe52610ac442b222ce13b0803e9d0c7529e719c7359642f9c97b
              • Instruction Fuzzy Hash: F301A772201651BFD312AF7ACD44E57B7ECFFA8655700062EB10597661DBB4EC11C6E0
              Function 015669C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5c0b27dda39ee76d911b0456fb9d72a5754388f382fdd0e14f51742628ca542
              • Instruction ID: 074118e2bb0dfade752b092fcb3060df52dacd36c68845dfdcb4067888c31149
              • Opcode Fuzzy Hash: e5c0b27dda39ee76d911b0456fb9d72a5754388f382fdd0e14f51742628ca542
              • Instruction Fuzzy Hash: 4501D832214606DBD320DF6AC84896EFBECFB94664F514529E9698B180E7309945C7D1
              Function 0155C460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7cc1c4e3254aba968e381a205001a1165d71a726dabcee59965e0c20e204578f
              • Instruction ID: b86480c6d0741d4a526e7094a98fcaf657ca9d48491be39f2d4c0aeb25da9579
              • Opcode Fuzzy Hash: 7cc1c4e3254aba968e381a205001a1165d71a726dabcee59965e0c20e204578f
              • Instruction Fuzzy Hash: A2113975A00249EBDB15EF68C854EAE7BB9BB98344F00405AAD019B250DA35A911CB90
              Function 0155C97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3beefe2b55743cef89158af98f3b6430151f9eeba2daaf1c4858a2afe341198d
              • Instruction ID: 872fcf495b4573539293d220c6a97028854516c63887fd8b76c95efeae5f5077
              • Opcode Fuzzy Hash: 3beefe2b55743cef89158af98f3b6430151f9eeba2daaf1c4858a2afe341198d
              • Instruction Fuzzy Hash: 2E1157B16083099FC700DF69C44295BBBF8FF99710F00491AB998DB390E630E900CB92
              Function 0155CA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91a5200d5ccff73f82e5e17035b7838f38670516c8a22e6a6fa841a88a6440cc
              • Instruction ID: 29013dcb76a7813f686fe8c01fab89403734efcaa0e1a56c33512ec5b40e144c
              • Opcode Fuzzy Hash: 91a5200d5ccff73f82e5e17035b7838f38670516c8a22e6a6fa841a88a6440cc
              • Instruction Fuzzy Hash: 781179B16083099FC300DF69C44194BBBE8FF99750F00891FB998DB3A4E670E900CB92
              Function 014EE016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 54d3d8d44bb29ccbfb6ebb3f1cf931dbe9439a1aa8f4500631a37cdea5b76a6a
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: F0017C722005A49FE322871DC948F2A7BD8FB55755F0904A2F905DB7E2D638DD41C621
              Function 014C826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7e611781c5d1f6ce7ab79ef529da79db424e64136b684e0665e6627ae9ccaa1
              • Instruction ID: 34c1c4545a31e8217249041ef40e9618bf7d7b5fc2126776230bf46d6fa7a201
              • Opcode Fuzzy Hash: b7e611781c5d1f6ce7ab79ef529da79db424e64136b684e0665e6627ae9ccaa1
              • Instruction Fuzzy Hash: AB01D43570090A9FD754DFA9D954AAB7BAAFF90A10B06402F9D02AF760DE30D802C290
              Function 0157EB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 26c2e72cd8f6467344cb8abf37a687f8b72b5c8aa1d3f4401006c21932440db3
              • Instruction ID: 5530cd475e7e4f407e6c1810413d4679215fb3e35ffd00ff99768849d2cff492
              • Opcode Fuzzy Hash: 26c2e72cd8f6467344cb8abf37a687f8b72b5c8aa1d3f4401006c21932440db3
              • Instruction Fuzzy Hash: 15018F71240705AFD3315F5AE942F16BAE8FF65B50F11482EA20A9F3A0D6B099418BA4
              Function 014D2582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21a06861729112782e49e88790538da10cf77b383c8498794bc60c22da3896cb
              • Instruction ID: b3325a2f8b0454b00eed75d08aea6616d9117b82d9d5512553daac38f7589ba4
              • Opcode Fuzzy Hash: 21a06861729112782e49e88790538da10cf77b383c8498794bc60c22da3896cb
              • Instruction Fuzzy Hash: 09F0F933641710B7CB319F5B8C50F577EE9EB94B90F00402AE60697650C670ED01CAA0
              Function 014FC073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 40c020eab385671a93d1595f2ef83d774e338b2999d1a085bba11487cc4fa6f6
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 36F0A4B2600615ABD324CF4D9840E57F7EADBD1A90F048129A605CB320E631DD05CB50
              Function 015A634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a352720be6b2e8048fec72192c86a47bd4cfd126ce40a3ee0ffb91fe6b3dc35d
              • Instruction ID: 08b0875c160f23cf43cca851d87ef8cf62b520b73ddc9bfaba97a4e6faf03b43
              • Opcode Fuzzy Hash: a352720be6b2e8048fec72192c86a47bd4cfd126ce40a3ee0ffb91fe6b3dc35d
              • Instruction Fuzzy Hash: 22017171A1020AAFDB00DFA9E55199EB7F8FF58304F10405AE900EB350D6349A018BA0
              Function 014CC310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 7569f939abf1c44b638a520f1bf2e689413ab5b9cfe1fb09c06aa1e977b0c89b
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 3DF0FC372046339BD772579A58C0B2BA9959FE1E64F19003FF20D9B274C9748D0357D0
              Function 015A625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 995fbe2fdaae6ce87a59574475edff107ee7996e083b4dbfb1dea6051ef5f6bd
              • Instruction ID: 5fa375d9c5bfef3e73dda367f00b7cc0a3628cb8d2ec44302caa8ffd6c2eefbc
              • Opcode Fuzzy Hash: 995fbe2fdaae6ce87a59574475edff107ee7996e083b4dbfb1dea6051ef5f6bd
              • Instruction Fuzzy Hash: C3017C71A0020AAFDB04DFA9D451AAEB7F8FF58704F10406AF900EB390D674AA018BA0
              Function 015A62D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ded7ea2d5260b27312dcb1030790ae54e1877d806bf20682a81d8451e83be8c
              • Instruction ID: 0a577d2c85dc5f666fd46d2fdb7e3930ee3da9957bf8eabfa6ea282a7ef5c783
              • Opcode Fuzzy Hash: 7ded7ea2d5260b27312dcb1030790ae54e1877d806bf20682a81d8451e83be8c
              • Instruction Fuzzy Hash: 22012171A0020AAFDB04DFA9D55599EBBF8FF58704F54405AE914EB350D67499018BA0
              Function 0150CA6F Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction ID: bdee80af5c19ade5325ff8c51626c04c4eacf018a0c7f7379e3c7a9c505691c9
              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction Fuzzy Hash: 1601D1326006859BE323D6ADC809F5DBBD8FF52758F0845A6FA048F6A1D6B9C841C210
              Function 015A61E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d54ee53a5ac46c78cdf40b0cefc76a55121f22c1e21f146d9f0ec0eeb504d620
              • Instruction ID: 68bcd88b38c91705973dc6ca07419d1867ce2bdbc93f9eb9b79ac23c3b9c717d
              • Opcode Fuzzy Hash: d54ee53a5ac46c78cdf40b0cefc76a55121f22c1e21f146d9f0ec0eeb504d620
              • Instruction Fuzzy Hash: A3018F71A002499FDB00DFA9D445AEEBBF8BF58310F14005AE500AB280D734EA01CB94
              Function 015563C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: aeaaf2efa6817c401559d1f1c002b23a4ae8617dff57cef81f35c28a767fe9ac
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 46F01D7220005EBFEF029F95DD80DAF7BBEFB59298B114129FA1196170D631DD21ABA0
              Function 0155A4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbaef04d7bbe62e0dd6aa278fc2235635ed85616d2c394b3b977d0a4a2cc0d05
              • Instruction ID: ff2af81360f23f57252a77cadab203109339c55f721660c9f771d8b712b6d4cb
              • Opcode Fuzzy Hash: dbaef04d7bbe62e0dd6aa278fc2235635ed85616d2c394b3b977d0a4a2cc0d05
              • Instruction Fuzzy Hash: D1018936110109AFCF129E84DC40EDE3F66FB4C754F068206FE186A220C332D970EB81
              Function 014CC0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3a3a656eb3a7c25aaf143078a0dc2c8f1bb6bc56c1068846cb6ffe7d967d2c25
              • Instruction ID: fc4bbfda2569e501c573ad797cb61086961178daf9dc90732c63fc1dad3264d3
              • Opcode Fuzzy Hash: 3a3a656eb3a7c25aaf143078a0dc2c8f1bb6bc56c1068846cb6ffe7d967d2c25
              • Instruction Fuzzy Hash: A8F0F6752042415FF6A4951A8C91B333695E7D0A51F65806FEB098B7E1EE71D8018694
              Function 0150656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfcb698ae6f8f700983ada593e27a1ef32b655591bfde62d64bba17b9ffc5730
              • Instruction ID: 7f6fe300ec5f455293adb5c8f1fcd249da2deb394ef6dc2685787b41c6bd11c3
              • Opcode Fuzzy Hash: cfcb698ae6f8f700983ada593e27a1ef32b655591bfde62d64bba17b9ffc5730
              • Instruction Fuzzy Hash: 6501A470240B859FF3239BACCD48F2937E4BB50B04F880594BA019FAE6E779D4418610
              Function 0157437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: c86704b793ac2ae803796a7a02d08dc8031739c54105fdbe509fba6a30b2352e
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 19F0E235341E1347EB36BA2EA421B3EAA95BFE0A10B25052D9609CF6D0DF20DC808790
              Function 0155E872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: cb184d55bc36a8f69f7ca71d6fadb7fb7f4b452889999c736fc78f5a85c3529b
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: B6F054337155119BD3619E4ECC91F16F7A8FFD5A60F19046AAA059F660C760ED0287D0
              Function 0155C89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a572cd7a412b263913d016c779d838a03b1addcc97d90f3a3528606e0fd807b1
              • Instruction ID: 4d69faecded21b2c94832c91e2e15d2bedb865ccb5b3364d30232160240497f6
              • Opcode Fuzzy Hash: a572cd7a412b263913d016c779d838a03b1addcc97d90f3a3528606e0fd807b1
              • Instruction Fuzzy Hash: 89F0AF706057059FD350EF28C556E1ABBE8FF98710F40465ABC98DF394E634E901C796
              Function 01500854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: 4efdbd51e9859353f01f9cee02f265d69715ad9ef82deae7d495ddf4cd74bb4b
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: E2F02472600200AFE315DF66CC04F56B6E9FFA9340F148078A544CB1F0FAB0EE00C654
              Function 0155C912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3715688a74e13334c3e8913522278d54ecd04ac891c49d687944f21ecea9b53
              • Instruction ID: 36bca36648bae312fbc47c6170b8a5e24a3c2893ad69970c987e4473a24d5dcc
              • Opcode Fuzzy Hash: c3715688a74e13334c3e8913522278d54ecd04ac891c49d687944f21ecea9b53
              • Instruction Fuzzy Hash: 00F04F70A0124A9FDB04EF69C525E5EB7F8FF58300F00805AA955EB395DA38EA01CB50
              Function 014D47FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba19b6532435725da08cd6bbc5cdbae36f23764b84905fded7c9acbfb757a7ac
              • Instruction ID: 64c18ce2815d66a2bd1a285135c5372502e1e54335ed89ce77b116b7f0090874
              • Opcode Fuzzy Hash: ba19b6532435725da08cd6bbc5cdbae36f23764b84905fded7c9acbfb757a7ac
              • Instruction Fuzzy Hash: A0F096799156D19EDF22875CC06DB13B7D49B00BA0F0D596BE549C7E32C774D840C651
              Function 01590115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 370722fa9c03375b546ee5fb21270704c1dd6e919e1cda159cce220454f48ed7
              • Instruction ID: f5f4a45fd024aeac162e968f17450ef2c24189359cca5b69122dc10e6011a1a5
              • Opcode Fuzzy Hash: 370722fa9c03375b546ee5fb21270704c1dd6e919e1cda159cce220454f48ed7
              • Instruction Fuzzy Hash: C6F027B641AAC20ECF726F2C6C502E93FA8B781510F0A1849D4B1AF345C774C687E321
              Function 0150C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3a60e2a41c5bda1ae60d017a9c286bd20c2c8491bef7d7a16bb0025c636d0762
              • Instruction ID: ffbee7c47af604876c4775873833b6279716ba39dfd032e70170bae260de17dc
              • Opcode Fuzzy Hash: 3a60e2a41c5bda1ae60d017a9c286bd20c2c8491bef7d7a16bb0025c636d0762
              • Instruction Fuzzy Hash: 94F052714026419FE73387DCC808B197BE4BB03BA0F0C9AA6D802CF192C370F880CA40
              Function 01512619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 9df7d3f152e961795f534460200cd052ccb9f0ade0220e1f78977d71477f3a45
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 79E0D8323006016BF7129F598CC4F5777AEEFE2B14F14447DB5045F295CAE2DC0986A4
              Function 01566030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 567d80b9c9a493d8e12ffef3bea930382f35a73cf44523eb742413c858bead65
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: 92F01C72104204AFE3218F0AD944B56BBFCFB15374F55C42AE6099F561D379EC40CBA4
              Function 014D0710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 94353ca7f28b36692cb34104fb8ad66534e152f3d9b184e3edbd35639491b494
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 00F0E53A2043559BEF16DF19C050A997BE4FB52350F0100A6F8528F361E731E982CB90
              Function 015049D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: 22414f13543a3a90c035bb994d8ae685ae655e8f06117f3b4308fef1fe9e7d1f
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: D3E09232244145ABD7222A998800B7A77E7BBE07A0F150429E7008F190DBB4DC80D798
              Function 015A4164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 00ede3f9091e9c4c5e020c11b03d549a1062135ea80efbbf16f95013c25a4452
              • Instruction ID: 8631122b09db4740665fabc848d1aab4929fd026ae83fb6dad2f33fd42bf14fe
              • Opcode Fuzzy Hash: 00ede3f9091e9c4c5e020c11b03d549a1062135ea80efbbf16f95013c25a4452
              • Instruction Fuzzy Hash: B0F0A031AA56914FE762D7A8E144B5D77E4BB20A20FCE0565D4118F912C3A0EC40C650
              Function 0157678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: 59ee64e1dfca167f0fce947e1f54c454483bf58110ea13f8ec7bd9822019f9ac
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: 4FE0DF72A00510BBEB22A7998D06F9ABEADEBA0EA0F050055B600EB0E0E530DE04D690
              Function 015A08C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: 5188f1eaef47c74a0e1803324351bbc49c4b9ab55cafb207fe3deef71105bfa3
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: 63E09B316D07518BCB258A1DC140A5FB7E8FFE5660F55806DE9054B653C231F842C6D4
              Function 014D25E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 5a7678a07abec20036bf65f2ed8ed23fcd2a42053667c9130a03e0680c53e644
              • Instruction ID: b95d05cd96d268db09933c94946998b4249d93cb979e93603b685469b2cd76e2
              • Opcode Fuzzy Hash: 5a7678a07abec20036bf65f2ed8ed23fcd2a42053667c9130a03e0680c53e644
              • Instruction Fuzzy Hash: B4E09232100A549BC722FF2ADD11F9A77AAFFB0360F11451AF1565B1A0CA30A950C794
              Function 0158A456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: 300d968be3002795e742220c525395faaec72757c8c3cec83082b285cfdc2432
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: 60E06D31010A12DBEB326F2AC808B567AE1BFA0711F14882EA1962A5B0C7759890CA40
              Function 01554000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 583b6bc5a4efb0a26804f3cc7763f16301fcf67de0491559dd5a7768834f115a
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: C7E0C2343003058FE755CF19C054B667BB6BFD5A10F28C069A9488F209EB32E882CB40
              Function 0150CA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c31c54c59d139499466a4e02d52d506c41fe2cc489e3899ae309c121b1addf6
              • Instruction ID: 41809f3ada2dc6e0122c5ac5ba17b99411a6702a7a496a36771d78f4eeae0c58
              • Opcode Fuzzy Hash: 2c31c54c59d139499466a4e02d52d506c41fe2cc489e3899ae309c121b1addf6
              • Instruction Fuzzy Hash: B9D02B324810206ECB37E7997C04FA73A9ABB61320F0248A5F108DA0A1D5A4CCC192D4
              Function 014C823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: fc504c5e94356e932cdcec0e8144a28966dc0f2837dad9203137e6821795f144
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: A3E08636100512DED7332F15DC04B5176A2FB94F10F20482EE0811A0B887709882DA44
              Function 014D2050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a561a134851ebfd3abf763b56074ab72077a78d4f33a57d623708fa55d478efc
              • Instruction ID: e065f49e48b87b4f25a5c3c932a0e15472bcf196d07cf69faac92c4d7143f1a7
              • Opcode Fuzzy Hash: a561a134851ebfd3abf763b56074ab72077a78d4f33a57d623708fa55d478efc
              • Instruction Fuzzy Hash: 94E08C321005506BC612FE6EDD10E5A739AEFB4260F05012AF1558B6A4CA70AD40C7A4
              Function 01508A90 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction ID: 932875af401995156b4bfdfcff7e80dd2c6b098cd8c91162aec32d981d222d61
              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
              • Instruction Fuzzy Hash: EEE08633511A1487C729DE58D511B7677E4FF45730F09463EA6134B7C1C574E544C794
              Function 0150E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 193582ebc7f2eac908f9647358350ca243b5a8b5eb6a5c0bde14791cb9264f98
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: F9D0A7331045105BD7329A1DFC04FC333D8BB58725F050459B005C7050C370EC41C644
              Function 0154E908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: 963d06fdb15f87efe730a570349c7afb9d133d15f3975a779179bf0445fd3b6b
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 07E0EC369506849BDF16DF5AC645F5EBBF5FB94B40F150458A1486F661C738ED00CB40
              Function 014CA0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: 43dcaa9ff0c9c54277acbb0cb6599524ec17dd80922bc867e83f82bbab860b94
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 3BD0223321203093CB295A566C04F636905ABC0EE0F2A006E340B93920C4248C43C2E0
              Function 0150A830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: 048764984c608ac5d89e9262d0580910de489a759e9e02807b8cc859bc80e8a8
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: 34D012371D054DBBCB129F66DC01F957BA9E764BA0F444021B505875A0C63AE960D584
              Function 0150CA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c37b6e6cf7f26a788381156566ad3974d352d35497e0e336ef3f6e924ee98a9
              • Instruction ID: 13965ac6718f858214e5ac954b5e8f2240a11eda37831a96912e7649875d9a92
              • Opcode Fuzzy Hash: 6c37b6e6cf7f26a788381156566ad3974d352d35497e0e336ef3f6e924ee98a9
              • Instruction Fuzzy Hash: 8AD0A730901401CFDF27CF89C514D3E36B0FF10644B4000ACFB015A520D334EC41C620
              Function 014E02A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: ef096eb4192f4c6452da7d7786720b3a65656a9dd327e144f9fa525fe2936e17
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: B0D09235312A80CFD61A8B0CC5A8B1633E4BB84A45F854891E441CBB22D67CD940CA00
              Function 0150C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: df485641772f3da298ab75f43090e50fb8a9d7b295817c1ff22c82e257d07a37
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: 1EC01233290648AFC712AE9ACD01F027BA9EBA8B40F000062F2058B670C631E820EA84
              Function 014F0310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: dca5a2d6ae681735812cf7244de0f8f4732506ef314cf7aeb821abb3ee6fc3a1
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 47D01236100248EFCB01DF41C890D9A772BFBD8710F10801DFD19077118A31ED62DA50
              Function 014D0750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 33b1d6b29412af72733465422159031e91a2cfc3301978b7da868ed7179ba16b
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: F9C0487A701A468FEF16DF6AD298F4977E4FB54741F1508D0E805DBB22E624E802CA10
              Function 01514340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b6377a3a86af0bc0e7512a2e1dfb85958fdb40b497e2690737ec41536a2ddc69
              • Instruction ID: 0e74f45ba3330aa6a04f2cbb6d37eb632975e13cdf02d8462bf0250d48745c72
              • Opcode Fuzzy Hash: b6377a3a86af0bc0e7512a2e1dfb85958fdb40b497e2690737ec41536a2ddc69
              • Instruction Fuzzy Hash: C7900233605810129140719848855464085B7E1311B59C411E0424958CCF548A565361
              Function 01514650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d55cdb76a4222f3211e0f1a015b60de3c730793d6a411a5a13051725e2fa50d4
              • Instruction ID: bed4222f2f87978376faae576112baf0c6facba3460c6770fe8ab651af726998
              • Opcode Fuzzy Hash: d55cdb76a4222f3211e0f1a015b60de3c730793d6a411a5a13051725e2fa50d4
              • Instruction Fuzzy Hash: CB900263601510424140719848054066085B7E2311399C515E0554964CCB5889559369
              Function 01512BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81801164d23cf59d08c149bb1a71f4aca223489b2d673249f94951d154387731
              • Instruction ID: 1934f930a232dc92ef440a15fc8b14c7979f31e503ad26da16c5b64f6b56527d
              • Opcode Fuzzy Hash: 81801164d23cf59d08c149bb1a71f4aca223489b2d673249f94951d154387731
              • Instruction Fuzzy Hash: 8090023320141802D1807198440564A0085A7D2311F99C415E0025A58DCF558B5977A1
              Function 01512BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50ec63ccee268cc71c0a539a322bd62011a486fdd77350fb9191680ade2a9e27
              • Instruction ID: b3f265c01bf0d15e972cf30da22265e1741079a4a31de6f4cad34f91d8951bd3
              • Opcode Fuzzy Hash: 50ec63ccee268cc71c0a539a322bd62011a486fdd77350fb9191680ade2a9e27
              • Instruction Fuzzy Hash: 9A90023320545842D14071984405A460095A7D1315F59C411E0064A98DDB658E55B761
              Function 01512B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cdea6a22c8f262f3028c2ed8d67c47db7c0f4e8a5c85fad3417c3b436769f5c9
              • Instruction ID: b118aa7529a380050fce8ed3dc374359f3281bd4911549f290b779a629c1a3de
              • Opcode Fuzzy Hash: cdea6a22c8f262f3028c2ed8d67c47db7c0f4e8a5c85fad3417c3b436769f5c9
              • Instruction Fuzzy Hash: 1E90023320141802D104719848056860085A7D1311F59C411E6024A59EDBA589917231
              Function 01512BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30e0422d8ca470213092d52a1511b51bb1127264095bf97e22d7a09b71948b24
              • Instruction ID: 70598df207111df58a0a9b12f47f9296285ebeb1014bb12530ee007d733bb655
              • Opcode Fuzzy Hash: 30e0422d8ca470213092d52a1511b51bb1127264095bf97e22d7a09b71948b24
              • Instruction Fuzzy Hash: 4D90023360541802D150719844157460085A7D1311F59C411E0024A58DCB958B5577A1
              Function 01512AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc364620fd0f96325dccb29825d742d80d10fa6d3238cdf027f1041a4c4b6347
              • Instruction ID: 629636a56e54d37908792dc64237e0c7da13391470373d7ea8ef93fb6addd7b5
              • Opcode Fuzzy Hash: dc364620fd0f96325dccb29825d742d80d10fa6d3238cdf027f1041a4c4b6347
              • Instruction Fuzzy Hash: 07900227211410030105B598070550700C6A7D6361359C421F1015954CDB6189615221
              Function 01512AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1842cb700b21349fca61bb663838124efbeaeb56b950b58cf5d7ed608c20516
              • Instruction ID: 0be8690bbc2cc805fc3bc1612e54f83f65d021fd4ceb591dab7060dcde8fb703
              • Opcode Fuzzy Hash: c1842cb700b21349fca61bb663838124efbeaeb56b950b58cf5d7ed608c20516
              • Instruction Fuzzy Hash: 79900227221410020145B598060550B04C5B7D7361399C415F1416994CCB6189655321
              Function 01512AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f621127ff82c50f1fbed4f876e186fc75082c49e77c6ba0c0f77bef06e984e4a
              • Instruction ID: aeb0991c809532ed1b9d99e26a6934e52412ce477797586aeb9f309dbea3d882
              • Opcode Fuzzy Hash: f621127ff82c50f1fbed4f876e186fc75082c49e77c6ba0c0f77bef06e984e4a
              • Instruction Fuzzy Hash: FA9002A3201550924500B2988405B0A4585A7E1211B59C416E1054964CCA6589519235
              Function 01512D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f01c0e44c81892306a2585e3a3175e3aee90fba5e0d88cd71abae7f5d05f520
              • Instruction ID: a25bc4eb16a9f04d593ed1e4ef75fa59e6d7046d43f6f6114b43cbdfb60ee8e9
              • Opcode Fuzzy Hash: 4f01c0e44c81892306a2585e3a3175e3aee90fba5e0d88cd71abae7f5d05f520
              • Instruction Fuzzy Hash: 0290022B21341002D1807198540960A0085A7D2212F99D815E001595CCCE5589695321
              Function 01512D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c23fe7f425c66411ab4c1f0361e4e0ccbc9ba30390d59b6c8dcdd25612c5492a
              • Instruction ID: 86ace95c683631b804d47928c1b62927b9906003ac634661fd86881cda1b30e4
              • Opcode Fuzzy Hash: c23fe7f425c66411ab4c1f0361e4e0ccbc9ba30390d59b6c8dcdd25612c5492a
              • Instruction Fuzzy Hash: 0490022320545442D10075985409A060085A7D1215F59D411E1064999DCB758951A231
              Function 01512D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7838a52577ac87e2c8b0d4fa8ea90eca9a72c95b5ea0d15710b4e82ff534f7d
              • Instruction ID: 34a2aca7a5c065cd132aaf4e745309523c9b431ed2d9def032296600e3ebf46a
              • Opcode Fuzzy Hash: e7838a52577ac87e2c8b0d4fa8ea90eca9a72c95b5ea0d15710b4e82ff534f7d
              • Instruction Fuzzy Hash: D290022330141003D140719854196064085F7E2311F59D411E0414958CDE5589565322
              Function 01512DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47a07516b1de0d1491f8a9308d58181c48b92f15bb17e22ec092b5405436b66d
              • Instruction ID: caf07af0425032221863847342929a9830bf9949e4c3db6c843f528e7a971e85
              • Opcode Fuzzy Hash: 47a07516b1de0d1491f8a9308d58181c48b92f15bb17e22ec092b5405436b66d
              • Instruction Fuzzy Hash: CC900223242451525545B19844055074086B7E1251799C412E1414D54CCA669956D721
              Function 01512DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 864890e046da42443157b576fef961fa583ee8808fb71fab08beae99c9ab962a
              • Instruction ID: 02cd1af58af8216bda9a83171ecb0dd0ff34e0111366e4b8ebe52abd63223066
              • Opcode Fuzzy Hash: 864890e046da42443157b576fef961fa583ee8808fb71fab08beae99c9ab962a
              • Instruction Fuzzy Hash: B990023324141402D141719844056060089B7D1251F99C412E0424958ECB958B56AB61
              Function 01512C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 11ba33b496daa688d63c295b02c4b8ca77bdc310caa1a541ae4d1ff3d884e8fb
              • Instruction ID: ec00fdce4d6c9465d062924c176758607e46a1d5ebc17a825aaa50c5c5741e8d
              • Opcode Fuzzy Hash: 11ba33b496daa688d63c295b02c4b8ca77bdc310caa1a541ae4d1ff3d884e8fb
              • Instruction Fuzzy Hash: 8690023320141842D10071984405B460085A7E1311F59C416E0124A58DCB55C9517621
              Function 01512CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b90ac9b5a94a18db47707b1a17b65d9069a2b5a0ab3ebb14db497c70706d6e20
              • Instruction ID: 9a2dac10fbbea85b0cd33fc596ad3546a525540aab5de2baa421ef70e7c9b46e
              • Opcode Fuzzy Hash: b90ac9b5a94a18db47707b1a17b65d9069a2b5a0ab3ebb14db497c70706d6e20
              • Instruction Fuzzy Hash: CC90022360541402D140719854197060095A7D1211F59D411E0024958DCB998B5567A1
              Function 01512CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2d386dcaf403018d8635924f8bbe6972fcb5d1d0c5dade8facb8f06042fa344
              • Instruction ID: 4b014946876e93f791e27775f9b7c36e4536cf0080435f511f46e62a5d1d0e45
              • Opcode Fuzzy Hash: f2d386dcaf403018d8635924f8bbe6972fcb5d1d0c5dade8facb8f06042fa344
              • Instruction Fuzzy Hash: CD90023320141403D100719855097070085A7D1211F59D811E042495CDDB9689516221
              Function 01512CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c0110a782f6cc0456eaaa212adcd639bad98b7829f65783a47fd32e770db49c
              • Instruction ID: 009c6b341c85e83afff9f0c8e7845387edcf3aa127c0b183f194ecd74a28a216
              • Opcode Fuzzy Hash: 7c0110a782f6cc0456eaaa212adcd639bad98b7829f65783a47fd32e770db49c
              • Instruction Fuzzy Hash: 7390023320141402D10075D854096460085A7E1311F59D411E5024959ECBA589916231
              Function 01512F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d551f0a5bb2dde76accb0a70579038c019ffb8c97e9f723b0f425ea68a15b6c5
              • Instruction ID: 574f0ca0148b53d2670e137c93dffc5d2a9f3319b9bef96fddec5f557fcb4206
              • Opcode Fuzzy Hash: d551f0a5bb2dde76accb0a70579038c019ffb8c97e9f723b0f425ea68a15b6c5
              • Instruction Fuzzy Hash: AF90026321141042D1047198440570600C5A7E2211F59C412E2154958CCA698D615225
              Function 01512F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab2421e40a81132ce772976e22fd60200149bfe63836fa4a39e9f0047c57fce9
              • Instruction ID: 9b65ecf60f4fb5a72a34da3bf0abe7d4619712ffb29f938ee0c7dbf85a8bf68d
              • Opcode Fuzzy Hash: ab2421e40a81132ce772976e22fd60200149bfe63836fa4a39e9f0047c57fce9
              • Instruction Fuzzy Hash: 7190026334141442D10071984415B060085E7E2311F59C415E1064958DCB59CD526226
              Function 01512FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dda4bd88104c444c3cbbccb85acd921baf310b290a71a809a1862121baf5fd3d
              • Instruction ID: 518402df4ad28a8840d32812ff2b1f3908af46899651a2de74807f4714d04f95
              • Opcode Fuzzy Hash: dda4bd88104c444c3cbbccb85acd921baf310b290a71a809a1862121baf5fd3d
              • Instruction Fuzzy Hash: B4900223211C1042D20075A84C15B070085A7D1313F59C515E0154958CCE5589615621
              Function 01512F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b134a5cf5b16a02ef2ddcc3bf4fade5ad7d7734b63b96151888bc9bd7c9e231d
              • Instruction ID: 8839481735dabfb8476652012f7b39606a6bd4a490fbf8ba19206235e218a0be
              • Opcode Fuzzy Hash: b134a5cf5b16a02ef2ddcc3bf4fade5ad7d7734b63b96151888bc9bd7c9e231d
              • Instruction Fuzzy Hash: 9D90023320181402D1007198481570B0085A7D1312F59C411E1164959DCB6589516671
              Function 01512FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 08b672b343074c61bab34807d7475082e2551e61cde5c2d46dea017cc1d723fd
              • Instruction ID: 88509111300c38b2486eb8eb7f56e35da5265c8663701231a5e0d91c5f2c7277
              • Opcode Fuzzy Hash: 08b672b343074c61bab34807d7475082e2551e61cde5c2d46dea017cc1d723fd
              • Instruction Fuzzy Hash: 1A90022360141042414071A888459064085BBE2221759C521E0998954DCA9989655765
              Function 01512FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0eed99ac9e6d8770a86fd35301422b53449241dca3466ce03c8a2b7ef56caff8
              • Instruction ID: cd6876d233b378e44b0cdd923cb8550d25da38bca0b8c8bae8cec5e5e6d14868
              • Opcode Fuzzy Hash: 0eed99ac9e6d8770a86fd35301422b53449241dca3466ce03c8a2b7ef56caff8
              • Instruction Fuzzy Hash: 3090023320181402D100719848097470085A7D1312F59C411E5164959ECBA5C9916631
              Function 01512E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4901801a3ccfb2949781ed9b87089b987f9d246098a9624e0fdc9bb21164445c
              • Instruction ID: 8981df695de63c356626e18d18b09344c35d42e53d0d22820ab0ad75257371e9
              • Opcode Fuzzy Hash: 4901801a3ccfb2949781ed9b87089b987f9d246098a9624e0fdc9bb21164445c
              • Instruction Fuzzy Hash: 4090022330141402D102719844156060089E7D2355F99C412E1424959DCB658A53A232
              Function 01512EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b84c8d248608d7d2d5f474b1691d7209dad22d2a6e0c593f48b920f291153f7
              • Instruction ID: 91453f6d1ee95d29b3f6194c02ebcdd6de6cfebf993a043ee5395221fc73be2a
              • Opcode Fuzzy Hash: 0b84c8d248608d7d2d5f474b1691d7209dad22d2a6e0c593f48b920f291153f7
              • Instruction Fuzzy Hash: B390026320181403D140759848056070085A7D1312F59C411E2064959ECF698D516235
              Function 01512E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc9c0738aae47b5c84d0dbfcf1e9d36fcd1d71be9c3ce7da715ae559bc3f11c4
              • Instruction ID: 5725569e12d22f3786af2eb6c5da8f659ee489e0391ba7bdbb0cd8f6f426dd73
              • Opcode Fuzzy Hash: bc9c0738aae47b5c84d0dbfcf1e9d36fcd1d71be9c3ce7da715ae559bc3f11c4
              • Instruction Fuzzy Hash: 9990022360141502D10171984405616008AA7D1251F99C422E1024959ECF658A92A231
              Function 01512EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fec0db3dd4e2d2022770cf866dc84cefe6a79fdb66c8dcac9c1e006faece7d82
              • Instruction ID: e4178cb921a8002e44628f6e12df5bd6817ddff951974430162ff148de8cd83b
              • Opcode Fuzzy Hash: fec0db3dd4e2d2022770cf866dc84cefe6a79fdb66c8dcac9c1e006faece7d82
              • Instruction Fuzzy Hash: 9090027320141402D140719844057460085A7D1311F59C411E5064958ECB998ED56765
              Function 01513010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c93b4ab5581e32160aa93c9b56da7a6378401c0a08ae7c3505e3ed0ab515026
              • Instruction ID: 16b98a208c0dcfebd2fba50879025659c42a4f4227f6a6a6d592d66840dab974
              • Opcode Fuzzy Hash: 6c93b4ab5581e32160aa93c9b56da7a6378401c0a08ae7c3505e3ed0ab515026
              • Instruction Fuzzy Hash: 1990022320185442D14072984805B0F4185A7E2212F99C419E4156958CCE5589555721
              Function 01513090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5f19b1cf4da5d3d01df7d359a743efa1a5ae3edaadd56e9938991c4863372a4
              • Instruction ID: 7a9c3833aa2b3cdff5f040154b5f5f43088a549721be31e35bf3325c6a688e3d
              • Opcode Fuzzy Hash: c5f19b1cf4da5d3d01df7d359a743efa1a5ae3edaadd56e9938991c4863372a4
              • Instruction Fuzzy Hash: A190022324141802D140719884157070086E7D1611F59C411E0024958DCB568A6567B1
              Function 015139B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d291318ad4637d885bdb4cb1b064c4ac7039286c7f158ef43348aeed2c31a52
              • Instruction ID: ff11fc8910e93830b548b7839b64a1a001bdc0d7afd85ae6e62de43ae0db6dac
              • Opcode Fuzzy Hash: 8d291318ad4637d885bdb4cb1b064c4ac7039286c7f158ef43348aeed2c31a52
              • Instruction Fuzzy Hash: EF90022324546102D150719C44056164085B7E1211F59C421E0814998DCA9589556321
              Function 01513D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 63030dcab276916c7cd34f1704404334cfb1353637e7fbff9156d551223b6c28
              • Instruction ID: 21886ffe48eefaf81f964c90c13c4986b25415866b1cb9ab49ba7703fb6c0142
              • Opcode Fuzzy Hash: 63030dcab276916c7cd34f1704404334cfb1353637e7fbff9156d551223b6c28
              • Instruction Fuzzy Hash: 2090023720141402D5107198580564600C6A7D1311F59D811E042495CDCB9489A1A221
              Function 01513D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e745b328f06c6344c9a2f6ff46925ee57cc3bd750bdb1d6ba3d025a2b5c31e1
              • Instruction ID: c69ac099f3c80980c13c7c95324269f60bb1ff27f97d626d914a864cf044b2cd
              • Opcode Fuzzy Hash: 8e745b328f06c6344c9a2f6ff46925ee57cc3bd750bdb1d6ba3d025a2b5c31e1
              • Instruction Fuzzy Hash: 1B90023320241142954072985805A4E4185A7E2312B99D815E0015958CCE5489615321
              Function 01512C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 3aa530bd9f9da46c43373b1a0acd4f4e5db6b312c331b1a8573885668b0fdd4a
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01512890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: c91673bea96281769799926cbf028d6a6402208403c978aed691629fc0c77e2a
              • Instruction ID: 4d71cf93870a32284e4e170306e336cb7e6c1f891b409e8fc2fc425ce4abf445
              • Opcode Fuzzy Hash: c91673bea96281769799926cbf028d6a6402208403c978aed691629fc0c77e2a
              • Instruction Fuzzy Hash: B551D7B6A00216BFEB12DF9C899097EFBF8BB48240B64C129F555DB645D334DE408BE0
              Function 01582410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: aa97458d6092c39f1a225a12572c782ca8f0ce6d407fbc779da3c01aba610752
              • Instruction ID: 7f09cc2e5ac3dfe9c1942077c0a6c8929c37776639c540b51da3c9774ba94be5
              • Opcode Fuzzy Hash: aa97458d6092c39f1a225a12572c782ca8f0ce6d407fbc779da3c01aba610752
              • Instruction Fuzzy Hash: 5451F4B5A40646AEDB20EE5DC89097FBFF8BF44200F44885AE4D6EF681E674DA00C770
              Function 01507630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01544655
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01544725
              • ExecuteOptions, xrefs: 015446A0
              • Execute=1, xrefs: 01544713
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015446FC
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01544787
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01544742
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: eebb323422904eb371951b8109a0e21761788e3305c4c8a944451843dd31414f
              • Instruction ID: 74c2498aa8ab1d8cd795a21788d5c85d019b3ebdd593dda598d1dae989d098e7
              • Opcode Fuzzy Hash: eebb323422904eb371951b8109a0e21761788e3305c4c8a944451843dd31414f
              • Instruction Fuzzy Hash: 89514B3160020ABBEF12EAE8DC95FAD77A8BF58744F14009AD606AF1D1D770AA458F50
              Function 015A6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction ID: aa30154bbe347be4fea2d10d7b53b4b234a6e2d34eb9087b16102085f7d63ba3
              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction Fuzzy Hash: FF020471548342AFD305CF28C490A6FBBE5FFC8700F84892DBA998B264DB71E945CB52
              Function 0151B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: f5e176e961f0b6da425b7870111e6e4e95e77a4c474b9f3dadefdedc69d8df11
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 5081D170E0524A9EFF278E6CC8907FEBBB1BF55720F184A19D851AF299C7348840CB61
              Function 015820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 4df3156c523e70c7d0f669e880d08b1eff414b02bdc27d1676c782b1271fab48
              • Instruction ID: e8786bc6c5ef11444cbc83e810c3bab9418f133a1d60c9a0c69fe5c39b74707d
              • Opcode Fuzzy Hash: 4df3156c523e70c7d0f669e880d08b1eff414b02bdc27d1676c782b1271fab48
              • Instruction Fuzzy Hash: 5921657AA0011AABDB11EF79CC40AEE7FF8FF54644F54012AE905E7244E730D911CBA1
              Function 014FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 0154031E
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015402BD
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015402E7
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 0dbd05da6ee4db4f93009731795933cc33feff24978a441c9dc4306e6e251094
              • Instruction ID: 72ba8d594e570dbccb1e3aae0c4933d82d8ca7fd677fa2a5113966577b62e800
              • Opcode Fuzzy Hash: 0dbd05da6ee4db4f93009731795933cc33feff24978a441c9dc4306e6e251094
              • Instruction Fuzzy Hash: 7BE1B2316087429FE725CF28C884B5ABBE0BF84714F240A5EF6A58B3E1D774D849CB42
              Function 0150BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01547B7F
              • RTL: Re-Waiting, xrefs: 01547BAC
              • RTL: Resource at %p, xrefs: 01547B8E
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: dafdbb0a5e4d2a9b47779506ff868ac1d989d88114b05a5608e7db7d8c47d03c
              • Instruction ID: 807058155cd81d3a44174f106b8b8a3c69af269eac6b63c19e3b0557252c29b0
              • Opcode Fuzzy Hash: dafdbb0a5e4d2a9b47779506ff868ac1d989d88114b05a5608e7db7d8c47d03c
              • Instruction Fuzzy Hash: 6141D1353007039FD726DE69C880B6AB7E5FB98710F100A1EF9669F280EB71E8058B91
              Function 0150B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0154728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01547294
              • RTL: Re-Waiting, xrefs: 015472C1
              • RTL: Resource at %p, xrefs: 015472A3
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 246a0a955c6d90cf63a9b25c473ee9878eea87059dffc343666feb6d56c701e5
              • Instruction ID: a63b01235db0345fa8c167f9d94fc83f02739ebc9e86db1ee72517f8d1716b09
              • Opcode Fuzzy Hash: 246a0a955c6d90cf63a9b25c473ee9878eea87059dffc343666feb6d56c701e5
              • Instruction Fuzzy Hash: 0541D035704203ABD721DE69CC81F6AB7A6FB98714F100A1AF955AF280DB71F94287E1
              Function 01582300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: db90db450ae29bc39fec1cc08a9a7e794e85230b118731486fa0049416ca49d2
              • Instruction ID: 107506d1d61f036fb0fe57c0eb4cf3202bdf8afb1c4346a8631a2d7d116a8fd5
              • Opcode Fuzzy Hash: db90db450ae29bc39fec1cc08a9a7e794e85230b118731486fa0049416ca49d2
              • Instruction Fuzzy Hash: C6315476A002199FDB20DE2DCC50BEEBBF8FF54650F94455AE949E7240EF309A44CBA0
              Function 01517D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: c4743d285e126930926dd09acfa3ca83470034b349d5f8689e92f456643c011d
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 22919471E0020A9EFB26DF6DC8806BFBBE5BF48320F54461AE965EF2C8D73499408751
              Function 014D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1359717433.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_14a0000_Quote35664776.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 563d975ca398593017bffa70d123415f38ac73c782ba5bf847ce9d60c81d691c
              • Instruction ID: 9aeca95fc6eea966c6af3190808e44f1d80aa36803d58e5230bb297310d15e39
              • Opcode Fuzzy Hash: 563d975ca398593017bffa70d123415f38ac73c782ba5bf847ce9d60c81d691c
              • Instruction Fuzzy Hash: 59811871D006699BDB31CF54CC54BEEBBB4AF58714F0441EAAA19BB290D7709E848FA0