Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:Quotation.exe
Analysis ID:1558498
MD5:404a7ca256047297656926bbea03415f
SHA1:de02afb6d97f497ddaa0025a358b501a1ee942e4
SHA256:f03acdb2a846f8060d76c3d81651949b5699a5dee5b2b26ec238872defd12252
Tags:AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 404A7CA256047297656926BBEA03415F)
    • powershell.exe (PID: 1476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7376 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • Quotation.exe (PID: 1260 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 404A7CA256047297656926BBEA03415F)
    • Quotation.exe (PID: 6356 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 404A7CA256047297656926BBEA03415F)
    • Quotation.exe (PID: 1792 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 404A7CA256047297656926BBEA03415F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.3738165227.0000000002BA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Quotation.exe.364b6e0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.Quotation.exe.364b6e0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.Quotation.exe.3686100.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.2.Quotation.exe.3686100.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    4.2.Quotation.exe.364b6e0.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x316f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x31763:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x317ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x3187f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x318e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3195b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x319f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 6536, ParentProcessName: Quotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", ProcessId: 1476, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 6536, ParentProcessName: Quotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", ProcessId: 1476, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 67.23.226.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quotation.exe, Initiated: true, ProcessId: 1792, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49706
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 6536, ParentProcessName: Quotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", ProcessId: 1476, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}
                    Multi AV Scanner detection for submitted file
                    Source: Quotation.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Quotation.exeJoe Sandbox ML: detected
                    Source: Quotation.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: ifAP.pdbSHA256 source: Quotation.exe
                    Source: Binary string: ifAP.pdb source: Quotation.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49706 -> 67.23.226.139:587
                    Source: Joe Sandbox ViewIP Address: 67.23.226.139 67.23.226.139
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: DIMENOCUS DIMENOCUS
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.7:49706 -> 67.23.226.139:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.showpiece.trillennium.biz
                    Source: Quotation.exe, 0000000D.00000002.3738165227.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.showpiece.trillennium.biz
                    Source: Quotation.exe, 00000004.00000002.1292437166.00000000024A5000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3738165227.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Quotation.exe, 0000000D.00000002.3738165227.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://showpiece.trillennium.biz
                    Source: Quotation.exeString found in binary or memory: http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources
                    Source: Quotation.exe, 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Quotation.exe, 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3738165227.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, SKTzxzsJw.cs.Net Code: pT1h
                    Source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, SKTzxzsJw.cs.Net Code: pT1h
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\Quotation.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Quotation.exeJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.Quotation.exe.364b6e0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.Quotation.exe.3686100.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 13.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Quotation.exe
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_0227A3F04_2_0227A3F0
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_0227D57C4_2_0227D57C
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A034B84_2_06A034B8
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A021064_2_06A02106
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A066694_2_06A06669
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A066784_2_06A06678
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A034A84_2_06A034A8
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A0F5D84_2_06A0F5D8
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A0F1A04_2_06A0F1A0
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06A0BCB84_2_06A0BCB8
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06B448A04_2_06B448A0
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06B400064_2_06B40006
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06B400404_2_06B40040
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 4_2_06B409F04_2_06B409F0
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010BE0E913_2_010BE0E9
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010B4A9813_2_010B4A98
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010BDC6813_2_010BDC68
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010B3E8013_2_010B3E80
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010B41C813_2_010B41C8
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010BA92013_2_010BA920
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697629013_2_06976290
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697B2BB13_2_0697B2BB
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697C22013_2_0697C220
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697524013_2_06975240
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697310813_2_06973108
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697E44013_2_0697E440
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697233A13_2_0697233A
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697733813_2_06977338
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697004013_2_06970040
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_0697597B13_2_0697597B
                    Source: Quotation.exe, 00000004.00000002.1297924184.00000000083A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000002.1296833585.0000000006930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000002.1292437166.00000000024A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000000.1269450037.00000000000F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameifAP.exeP vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000002.1288501884.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000002.1292437166.0000000002431000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs Quotation.exe
                    Source: Quotation.exe, 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Quotation.exe
                    Source: Quotation.exe, 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs Quotation.exe
                    Source: Quotation.exe, 0000000D.00000002.3734524572.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation.exe
                    Source: Quotation.exeBinary or memory string: OriginalFilenameifAP.exeP vs Quotation.exe
                    Source: Quotation.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4.2.Quotation.exe.364b6e0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.Quotation.exe.3686100.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 13.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 4.2.Quotation.exe.3686100.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, m11KElQoaGTS6ScoKL.csSecurity API names: _0020.SetAccessControl
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, m11KElQoaGTS6ScoKL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, m11KElQoaGTS6ScoKL.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, gnUSCu92R6bF7qGVZD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, gnUSCu92R6bF7qGVZD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, m11KElQoaGTS6ScoKL.csSecurity API names: _0020.SetAccessControl
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, m11KElQoaGTS6ScoKL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, m11KElQoaGTS6ScoKL.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/6@2/2
                    Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_seuynxxz.qqt.ps1Jump to behavior
                    Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Quotation.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Quotation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Quotation.exeReversingLabs: Detection: 50%
                    Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Quotation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Quotation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: ifAP.pdbSHA256 source: Quotation.exe
                    Source: Binary string: ifAP.pdb source: Quotation.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, m11KElQoaGTS6ScoKL.cs.Net Code: hUNXbOQ8uN System.Reflection.Assembly.Load(byte[])
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, m11KElQoaGTS6ScoKL.cs.Net Code: hUNXbOQ8uN System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010B0C45 push ebx; retf 13_2_010B0C52
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010B0C53 push ebx; retf 13_2_010B0C52
                    Source: C:\Users\user\Desktop\Quotation.exeCode function: 13_2_010B0C6D push edi; retf 13_2_010B0C7A
                    Source: Quotation.exeStatic PE information: section name: .text entropy: 7.945855715131603
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, gnUSCu92R6bF7qGVZD.csHigh entropy of concatenated method names: 'RZBvgHWrZL', 'xlOvR7y92r', 'NT1vmu1aHi', 'gXFvF3uq5K', 'TafvBRPwMr', 'l5xv5AV5cU', 'eoRvrWsX6j', 'Aj0veL1KGO', 'DxGv1hZpCM', 'PaEvuMCsYg'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, eHT1T75IHvJ8sOUE38.csHigh entropy of concatenated method names: 'uqPEeKOPkI', 'am7EuHBoh6', 'P9jYwxEqW7', 'IL6YsGuJXR', 'cM7EDkbJ4F', 'y2PEi7xAbg', 'xgfEJr8alV', 'AHvEg7Ssvp', 'zHoEREL7AC', 'WKWEm8bM9X'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, LRZpgcvSu5EnCVpLXd.csHigh entropy of concatenated method names: 'Dispose', 'nTHs1YPDXJ', 'YcShngZIac', 'uBB0g0oNLZ', 'it3sueMDTU', 'tCvszwHlNA', 'ProcessDialogKey', 'Dfvhwa4LsD', 'xshhs3dIvB', 'K0PhhJJYhF'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, QW44ZNssmHdh1ViQKBq.csHigh entropy of concatenated method names: 'UMlMuE16JM', 'E9BMzdNXRO', 'rGhAwRq17H', 'Gw4Ask9hkv', 'oCdAhIYP8U', 'volALcxjfj', 'SRXAXUnVWi', 'S08ATEH1MK', 'YdMAtg4Hw3', 'KsdAvkMx9s'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, j8l8X3hGl6YEdJptKd.csHigh entropy of concatenated method names: 'aQ9bNUbPi', 'xne2YxFQw', 'gcUSLjEdW', 'm0FqZlYQj', 't6kHxmPOn', 'SmxIE5jlu', 'vtBQorYgb92uamuWtY', 'vLx0XoaIOkl1LbuvmQ', 'F60YCBCvT', 'lkaMEtehl'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, hSEuaEN37iorj9y7aG.csHigh entropy of concatenated method names: 'DCgC02o78d', 'IfTCZ1Jeh5', 'EsCCbnIYoY', 'Av0C26uQYx', 'k7sC8bVpvS', 'rd1CSH3WQ3', 'UiuCqnndvO', 'mMFC99o929', 'xyGCHGpXdU', 'MogCIZLFjv'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, bMPlLSJ9RqY9YkWwgi.csHigh entropy of concatenated method names: 'Ixm69MkUSq', 'oDL6HAd7EL', 'd77639gl9q', 'qtZ6nOfTwV', 'EnD6UD3LpM', 'Wcx6lvV3AB', 'C386OpvWv6', 'vHL6ayDFjl', 'nUe64kDd0m', 'DD26DmkAP5'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, WYve84rJfGTHYPDXJy.csHigh entropy of concatenated method names: 'Q87KfC9Q5J', 'tcIKEMq3ff', 'DiSKK8fJ7O', 'mprKA0VtjZ', 'rsYKob0KOb', 'OM6K7lSujQ', 'Dispose', 'AhUYtQNqQ2', 'oFfYv9yIsE', 'lbtYpomW2W'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, WTq2RLX5BngG5eQIvd.csHigh entropy of concatenated method names: 'BdpsCnUSCu', 'AR6sQbF7qG', 'egKsxywxRY', 'WhgsG3vRsu', 'xoasfw29H5', 'rPssjcO4fs', 'JfnmA6t9hWGbTPEyjA', 'fnkh9956AZ0UKogC56', 'IGwssDgf0e', 'M7csLN8Xsc'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, qn8HZVzKsW0qKGJ613.csHigh entropy of concatenated method names: 'CUBMSJRJL1', 'KfJM9WX3Td', 'r37MHf4oJk', 'v3LM3QJr3I', 'Y07Mn5Y53A', 'bmCMUOg4Rk', 'D7LMlr8SD1', 'b0tM7vgLvJ', 'x4NM0wLByi', 'dBVMZjhM4i'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, ocCpNTHgKywxRYehg3.csHigh entropy of concatenated method names: 'xQQp2aKZ7i', 'TqppSGNarO', 'sZxp9eByrx', 'FtYpHegpef', 'w9Epf7EH6W', 'fhRpjXqRiL', 'NwYpEpamqu', 'gEFpY4tgNR', 'dwnpKVYynT', 'Un6pMbURZQ'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, ReP8oDsXm93lbyEPNK3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gh8dKZJin4', 'AjAdM1VVUV', 'q40dAQbKZp', 'WoWddYluaU', 'S9edoywQ6Y', 'GOAdc4WRce', 'vc2d7Mo6pG'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, ga4LsD17sh3dIvBW0P.csHigh entropy of concatenated method names: 'euFK3AJvIK', 'gAQKn4yPFh', 'xRAKPGHQ0c', 'tO8KUbOwFD', 'CuxKlGCpuF', 'b9FKWJbYXA', 'LWBKOJwSGY', 'Nt8KadB2NL', 'CyeKNc1WHf', 'FkgK4lK80u'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, QJYhF1uiac9nFLm6lX.csHigh entropy of concatenated method names: 'P2DMpUgYNC', 'dQxMVICshR', 'qabMykibEk', 'e6BMC40k5D', 'f4VMKk3d0P', 'pRZMQs1X8o', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, TXZq00FS1mocMSXYsH.csHigh entropy of concatenated method names: 'wTQExmsCwq', 'gB0EGWpg65', 'ToString', 'i2oEt6TCpb', 'c6SEvwp0Mo', 'LP6Epv9BAv', 'AfPEVXTIkk', 'xt8EyAgNmR', 'wDXECNLhmv', 'ixDEQcj4FM'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, gRsuFjIHd2KsS7oaw2.csHigh entropy of concatenated method names: 'tADV8SgBry', 'fGHVqAlww0', 'uoxpPYvMGy', 'WRYpUjJvcN', 'M0Lplud6J9', 'zbspW7HKfD', 'cwApOTenMY', 'rvtpaWTB8t', 'nUNpNWZ0Db', 'otyp42YsyN'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, Q3LnG9p2R2MHwXGks7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 's7Wh1ElIwI', 'imvhuUsQ2X', 'RAWhzTeJbq', 'HJ1Lwy2Vuj', 'jn2LsT6CEc', 'cEXLhstItM', 'DlnLLjDkI5', 'xlM3bryX8kL8xjvJrdq'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, DZAHqGOtiyo1Bs9Aqg.csHigh entropy of concatenated method names: 'NToCtMuJci', 'fB2CpoDlRU', 'vroCy1ZOoc', 'xpIyu7yao1', 'FDTyzTDX2X', 'ptKCw4nawu', 'T9ECsMvs0w', 'LYAChwMxxX', 'ofUCLskjDh', 'eAOCXuYNCL'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, m11KElQoaGTS6ScoKL.csHigh entropy of concatenated method names: 'NjOLTaPOyj', 'TL6LtheLGW', 'TY2Lv0f7MU', 'IIFLpJVUh2', 'Bx1LVmWy9l', 'PxjLyerkmU', 'KwdLCa7TP2', 'KNPLQPyPMa', 'J1HLk9RnRg', 'CD3LxwZQFt'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, f57wJhmT7YHopwyBIw.csHigh entropy of concatenated method names: 'ToString', 'zTWjDTwTdM', 'gb1jnHdb23', 'eoljPQaFCW', 'qtYjUG9e5W', 'zjdjlWUoqp', 'bvJjWImEVo', 'NfHjOLveVS', 'NJsja1Crx0', 'awwjNOu6Wm'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, FW0hhQgAOEfCCH3hhp.csHigh entropy of concatenated method names: 'mAaf44AjMT', 'cSDfiI2kd2', 'lG6fg5KQLV', 'o5qfRJLTGC', 'lRnfnpxZhA', 'KymfPpEcPv', 'CwIfUHK9aa', 'GSkflt023Q', 'TnffWHGgPV', 'zSGfO3eLlI'
                    Source: 4.2.Quotation.exe.36ca900.2.raw.unpack, EH5YPs3cO4fsFQ2Gft.csHigh entropy of concatenated method names: 'dQKyTDiwwf', 'kn8yvGbmCH', 'FbWyV47XF9', 'OjSyCdeEiq', 'sjKyQEreog', 'QweVBJVIYc', 'fTAV5eoLDT', 'yoFVrSWL5s', 'l4HVea3sQ7', 'dq2V1dpHoQ'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, gnUSCu92R6bF7qGVZD.csHigh entropy of concatenated method names: 'RZBvgHWrZL', 'xlOvR7y92r', 'NT1vmu1aHi', 'gXFvF3uq5K', 'TafvBRPwMr', 'l5xv5AV5cU', 'eoRvrWsX6j', 'Aj0veL1KGO', 'DxGv1hZpCM', 'PaEvuMCsYg'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, eHT1T75IHvJ8sOUE38.csHigh entropy of concatenated method names: 'uqPEeKOPkI', 'am7EuHBoh6', 'P9jYwxEqW7', 'IL6YsGuJXR', 'cM7EDkbJ4F', 'y2PEi7xAbg', 'xgfEJr8alV', 'AHvEg7Ssvp', 'zHoEREL7AC', 'WKWEm8bM9X'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, LRZpgcvSu5EnCVpLXd.csHigh entropy of concatenated method names: 'Dispose', 'nTHs1YPDXJ', 'YcShngZIac', 'uBB0g0oNLZ', 'it3sueMDTU', 'tCvszwHlNA', 'ProcessDialogKey', 'Dfvhwa4LsD', 'xshhs3dIvB', 'K0PhhJJYhF'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, QW44ZNssmHdh1ViQKBq.csHigh entropy of concatenated method names: 'UMlMuE16JM', 'E9BMzdNXRO', 'rGhAwRq17H', 'Gw4Ask9hkv', 'oCdAhIYP8U', 'volALcxjfj', 'SRXAXUnVWi', 'S08ATEH1MK', 'YdMAtg4Hw3', 'KsdAvkMx9s'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, j8l8X3hGl6YEdJptKd.csHigh entropy of concatenated method names: 'aQ9bNUbPi', 'xne2YxFQw', 'gcUSLjEdW', 'm0FqZlYQj', 't6kHxmPOn', 'SmxIE5jlu', 'vtBQorYgb92uamuWtY', 'vLx0XoaIOkl1LbuvmQ', 'F60YCBCvT', 'lkaMEtehl'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, hSEuaEN37iorj9y7aG.csHigh entropy of concatenated method names: 'DCgC02o78d', 'IfTCZ1Jeh5', 'EsCCbnIYoY', 'Av0C26uQYx', 'k7sC8bVpvS', 'rd1CSH3WQ3', 'UiuCqnndvO', 'mMFC99o929', 'xyGCHGpXdU', 'MogCIZLFjv'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, bMPlLSJ9RqY9YkWwgi.csHigh entropy of concatenated method names: 'Ixm69MkUSq', 'oDL6HAd7EL', 'd77639gl9q', 'qtZ6nOfTwV', 'EnD6UD3LpM', 'Wcx6lvV3AB', 'C386OpvWv6', 'vHL6ayDFjl', 'nUe64kDd0m', 'DD26DmkAP5'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, WYve84rJfGTHYPDXJy.csHigh entropy of concatenated method names: 'Q87KfC9Q5J', 'tcIKEMq3ff', 'DiSKK8fJ7O', 'mprKA0VtjZ', 'rsYKob0KOb', 'OM6K7lSujQ', 'Dispose', 'AhUYtQNqQ2', 'oFfYv9yIsE', 'lbtYpomW2W'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, WTq2RLX5BngG5eQIvd.csHigh entropy of concatenated method names: 'BdpsCnUSCu', 'AR6sQbF7qG', 'egKsxywxRY', 'WhgsG3vRsu', 'xoasfw29H5', 'rPssjcO4fs', 'JfnmA6t9hWGbTPEyjA', 'fnkh9956AZ0UKogC56', 'IGwssDgf0e', 'M7csLN8Xsc'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, qn8HZVzKsW0qKGJ613.csHigh entropy of concatenated method names: 'CUBMSJRJL1', 'KfJM9WX3Td', 'r37MHf4oJk', 'v3LM3QJr3I', 'Y07Mn5Y53A', 'bmCMUOg4Rk', 'D7LMlr8SD1', 'b0tM7vgLvJ', 'x4NM0wLByi', 'dBVMZjhM4i'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, ocCpNTHgKywxRYehg3.csHigh entropy of concatenated method names: 'xQQp2aKZ7i', 'TqppSGNarO', 'sZxp9eByrx', 'FtYpHegpef', 'w9Epf7EH6W', 'fhRpjXqRiL', 'NwYpEpamqu', 'gEFpY4tgNR', 'dwnpKVYynT', 'Un6pMbURZQ'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, ReP8oDsXm93lbyEPNK3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gh8dKZJin4', 'AjAdM1VVUV', 'q40dAQbKZp', 'WoWddYluaU', 'S9edoywQ6Y', 'GOAdc4WRce', 'vc2d7Mo6pG'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, ga4LsD17sh3dIvBW0P.csHigh entropy of concatenated method names: 'euFK3AJvIK', 'gAQKn4yPFh', 'xRAKPGHQ0c', 'tO8KUbOwFD', 'CuxKlGCpuF', 'b9FKWJbYXA', 'LWBKOJwSGY', 'Nt8KadB2NL', 'CyeKNc1WHf', 'FkgK4lK80u'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, QJYhF1uiac9nFLm6lX.csHigh entropy of concatenated method names: 'P2DMpUgYNC', 'dQxMVICshR', 'qabMykibEk', 'e6BMC40k5D', 'f4VMKk3d0P', 'pRZMQs1X8o', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, TXZq00FS1mocMSXYsH.csHigh entropy of concatenated method names: 'wTQExmsCwq', 'gB0EGWpg65', 'ToString', 'i2oEt6TCpb', 'c6SEvwp0Mo', 'LP6Epv9BAv', 'AfPEVXTIkk', 'xt8EyAgNmR', 'wDXECNLhmv', 'ixDEQcj4FM'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, gRsuFjIHd2KsS7oaw2.csHigh entropy of concatenated method names: 'tADV8SgBry', 'fGHVqAlww0', 'uoxpPYvMGy', 'WRYpUjJvcN', 'M0Lplud6J9', 'zbspW7HKfD', 'cwApOTenMY', 'rvtpaWTB8t', 'nUNpNWZ0Db', 'otyp42YsyN'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, Q3LnG9p2R2MHwXGks7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 's7Wh1ElIwI', 'imvhuUsQ2X', 'RAWhzTeJbq', 'HJ1Lwy2Vuj', 'jn2LsT6CEc', 'cEXLhstItM', 'DlnLLjDkI5', 'xlM3bryX8kL8xjvJrdq'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, DZAHqGOtiyo1Bs9Aqg.csHigh entropy of concatenated method names: 'NToCtMuJci', 'fB2CpoDlRU', 'vroCy1ZOoc', 'xpIyu7yao1', 'FDTyzTDX2X', 'ptKCw4nawu', 'T9ECsMvs0w', 'LYAChwMxxX', 'ofUCLskjDh', 'eAOCXuYNCL'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, m11KElQoaGTS6ScoKL.csHigh entropy of concatenated method names: 'NjOLTaPOyj', 'TL6LtheLGW', 'TY2Lv0f7MU', 'IIFLpJVUh2', 'Bx1LVmWy9l', 'PxjLyerkmU', 'KwdLCa7TP2', 'KNPLQPyPMa', 'J1HLk9RnRg', 'CD3LxwZQFt'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, f57wJhmT7YHopwyBIw.csHigh entropy of concatenated method names: 'ToString', 'zTWjDTwTdM', 'gb1jnHdb23', 'eoljPQaFCW', 'qtYjUG9e5W', 'zjdjlWUoqp', 'bvJjWImEVo', 'NfHjOLveVS', 'NJsja1Crx0', 'awwjNOu6Wm'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, FW0hhQgAOEfCCH3hhp.csHigh entropy of concatenated method names: 'mAaf44AjMT', 'cSDfiI2kd2', 'lG6fg5KQLV', 'o5qfRJLTGC', 'lRnfnpxZhA', 'KymfPpEcPv', 'CwIfUHK9aa', 'GSkflt023Q', 'TnffWHGgPV', 'zSGfO3eLlI'
                    Source: 4.2.Quotation.exe.83a0000.5.raw.unpack, EH5YPs3cO4fsFQ2Gft.csHigh entropy of concatenated method names: 'dQKyTDiwwf', 'kn8yvGbmCH', 'FbWyV47XF9', 'OjSyCdeEiq', 'sjKyQEreog', 'QweVBJVIYc', 'fTAV5eoLDT', 'yoFVrSWL5s', 'l4HVea3sQ7', 'dq2V1dpHoQ'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6536, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 2230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 2430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 4430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 8520000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 9520000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 9720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: A720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 10B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6503Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3147Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeWindow / User API: threadDelayed 2477Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeWindow / User API: threadDelayed 7361Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 1004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7604Thread sleep count: 2477 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7604Thread sleep count: 7361 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep count: 37 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98139s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -97914s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -97812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -97435s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -97272s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -97126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -96719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -96406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -96176s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -96047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95827s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95155s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -95047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94499s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -94062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -93950s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -93844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -93733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exe TID: 7616Thread sleep time: -93617s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Quotation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99563Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99344Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98139Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 97914Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 97435Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 97272Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 97126Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 96719Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 96406Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 96176Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 96047Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95937Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95827Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95718Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95609Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95500Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95391Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95266Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95155Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 95047Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94937Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94719Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94609Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94499Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94390Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94281Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94172Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 94062Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 93950Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 93844Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 93733Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeThread delayed: delay time: 93617Jump to behavior
                    Source: Quotation.exe, 0000000D.00000002.3736627161.0000000000E15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Quotation.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Quotation.exeMemory written: C:\Users\user\Desktop\Quotation.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3738165227.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 1792, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 1792, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.3686100.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Quotation.exe.364b6e0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3738165227.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 1792, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558498 Sample: Quotation.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 28 showpiece.trillennium.biz 2->28 30 mail.showpiece.trillennium.biz 2->30 32 api.ipify.org 2->32 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 9 other signatures 2->44 8 Quotation.exe 4 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\Quotation.exe.log, ASCII 8->26 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->46 48 Adds a directory exclusion to Windows Defender 8->48 50 Injects a PE file into a foreign processes 8->50 12 Quotation.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 Quotation.exe 8->18         started        20 Quotation.exe 8->20         started        signatures6 process7 dnsIp8 34 showpiece.trillennium.biz 67.23.226.139, 587 DIMENOCUS United States 12->34 36 api.ipify.org 104.26.13.205, 443, 49702 CLOUDFLARENETUS United States 12->36 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 60 2 other signatures 12->60 58 Loading BitLocker PowerShell Module 16->58 22 WmiPrvSE.exe 16->22         started        24 conhost.exe 16->24         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Quotation.exe50%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                    Quotation.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.showpiece.trillennium.biz0%Avira URL Cloudsafe
                    http://showpiece.trillennium.biz0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      showpiece.trillennium.biz
                      		67.23.226.139
                      		truetrue
                        		unknown
                        mail.showpiece.trillennium.biz
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://showpiece.trillennium.bizQuotation.exe, 0000000D.00000002.3738165227.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.orgQuotation.exe, 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3738165227.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/Quotation.exe, 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://mail.showpiece.trillennium.bizQuotation.exe, 0000000D.00000002.3738165227.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation.exe, 00000004.00000002.1292437166.00000000024A5000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000D.00000002.3738165227.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.ResourcesQuotation.exefalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  67.23.226.139
                                  		showpiece.trillennium.bizUnited States
                                  		33182DIMENOCUStrue
                                  104.26.13.205
                                  		api.ipify.orgUnited States
                                  		13335CLOUDFLARENETUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1558498
                                  Start date and time:2024-11-19 14:29:57 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 8m 24s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:21
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Quotation.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@11/6@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 163
                                  • Number of non-executed functions: 15
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: Quotation.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  08:30:53API Interceptor8870001x Sleep call for process: Quotation.exe modified
                                  08:30:55API Interceptor14x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  67.23.226.139Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                      Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        COTIZACION.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                            Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                Revised PI 28 08 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                  PI 22_8_2024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    COTIZACION 19 08 24.exeGet hashmaliciousAgentTeslaBrowse
                                                      104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                      • api.ipify.org/
                                                      Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                      • api.ipify.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      api.ipify.orgDOCS.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      1Sj5F6P4nv.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 104.26.12.205
                                                      5LEXIucyEP.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 172.67.74.152
                                                      44qLDKzsfO.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 104.26.12.205
                                                      gP5rh6fa0S.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 104.26.12.205
                                                      spacers.exeGet hashmaliciousUnknownBrowse
                                                      • 104.26.12.205
                                                      https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuYGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.26.12.205
                                                      urkOkB0BdX.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 172.67.74.152
                                                      8F0oMWUhg7.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 104.26.12.205
                                                      [Inquiry] mv Palmela - CE replacement at your port, oa Nov. 22nd.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSd29z3fwo37.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                      • 172.67.196.114
                                                      Review_&_Aprove_Your_Next_Payment76770.htmlGet hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.81.208
                                                      payload_1.ps1Get hashmaliciousUnknownBrowse
                                                      • 172.67.207.199
                                                      FjMBwo1meU.xlsxGet hashmaliciousUnknownBrowse
                                                      • 188.114.96.3
                                                      qupybikrqX.docGet hashmaliciousUnknownBrowse
                                                      • 104.21.90.242
                                                      https://dorentop.es/yorii/Odrivex/Get hashmaliciousUnknownBrowse
                                                      • 172.67.133.148
                                                      hmjsOnyfSB.dllGet hashmaliciousLummaCBrowse
                                                      • 172.67.184.174
                                                      FjMBwo1meU.xlsxGet hashmaliciousUnknownBrowse
                                                      • 188.114.96.3
                                                      qupybikrqX.docGet hashmaliciousUnknownBrowse
                                                      • 104.21.90.242
                                                      DIMENOCUSQuotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 67.23.226.139
                                                      hiss.mpsl.elfGet hashmaliciousUnknownBrowse
                                                      • 198.136.58.114
                                                      Updated Document-9875488675.pdfGet hashmaliciousCaptcha PhishBrowse
                                                      • 67.23.254.53
                                                      3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 67.23.226.139
                                                      Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 67.23.226.139
                                                      COTIZACION.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 67.23.226.139
                                                      Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 67.23.226.139
                                                      Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 67.23.226.139
                                                      Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 67.23.226.139
                                                      https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.brGet hashmaliciousHTMLPhisherBrowse
                                                      • 107.161.183.172

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Quotation.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2232
                                                      Entropy (8bit):5.380805901110357
                                                      Encrypted:false
                                                      SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:lGLHyIFKL3IZ2KRH9Ougss
                                                      MD5:C961E3496AA47D8AF3F9E184D4F78133
                                                      SHA1:0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134
                                                      SHA-256:303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
                                                      SHA-512:C3ECDCCF25D96C4F0C7B6407C8BAA7A0496C656C63E4757982FA1A754AF5B7902F3318F0AFE1363F365714584869A5E1E754692A84D814DD9EFDEB909A3104A3
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35nan4xm.0aj.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_seuynxxz.qqt.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umfec4jx.yhu.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2huboqp.ffk.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.937358030826137
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:Quotation.exe
                                                      File size:670'208 bytes
                                                      MD5:404a7ca256047297656926bbea03415f
                                                      SHA1:de02afb6d97f497ddaa0025a358b501a1ee942e4
                                                      SHA256:f03acdb2a846f8060d76c3d81651949b5699a5dee5b2b26ec238872defd12252
                                                      SHA512:1c14b08ae8e339936dbaed751e979d2e376d05602ffdc80411d46a0d630b167be071ee9dadf6c478c91cad37441222b196952dffe7f35111d13113ad2a5a3ee1
                                                      SSDEEP:12288:c1o7Me/hO6Umv8qUYV/WxdN2LeszNZomchu2/9OOo8fQRI7V6di1NM2B:Ao7ZhO5mv845veaomtk9Ocf7iAD
                                                      TLSH:D6E412A562ACCBAAE1BD4BF69465605023F171BA7931F25D8FD320ED097BF404B21E07
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=b<g..............0..............M... ...`....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4a4d06
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x673C623D [Tue Nov 19 10:02:37 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa4cb30x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x64c.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa2bb00x54.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xa2d0c0xa2e00359d3ddc55eac23204760edd8572df1eFalse0.9555248105333844data7.945855715131603IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xa60000x64c0x800fc5d7f5be0f12f81aee8985d3b766154False0.3408203125data3.5066612303843345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa80000xc0x20030ac7090a8d7bd799dcec0ece7385255False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0xa60900x3bcdata0.4131799163179916
                                                      RT_MANIFEST0xa645c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 19, 2024 14:30:56.549623966 CET49702443192.168.2.7104.26.13.205
                                                      Nov 19, 2024 14:30:56.549763918 CET44349702104.26.13.205192.168.2.7
                                                      Nov 19, 2024 14:30:56.549899101 CET49702443192.168.2.7104.26.13.205
                                                      Nov 19, 2024 14:30:56.597412109 CET49702443192.168.2.7104.26.13.205
                                                      Nov 19, 2024 14:30:56.597459078 CET44349702104.26.13.205192.168.2.7
                                                      Nov 19, 2024 14:31:06.622030020 CET49702443192.168.2.7104.26.13.205
                                                      Nov 19, 2024 14:31:06.663348913 CET44349702104.26.13.205192.168.2.7
                                                      Nov 19, 2024 14:31:07.942030907 CET49706587192.168.2.767.23.226.139
                                                      Nov 19, 2024 14:31:08.946415901 CET49706587192.168.2.767.23.226.139
                                                      Nov 19, 2024 14:31:10.951796055 CET49706587192.168.2.767.23.226.139
                                                      Nov 19, 2024 14:31:14.951776028 CET49706587192.168.2.767.23.226.139
                                                      Nov 19, 2024 14:31:22.951854944 CET49706587192.168.2.767.23.226.139
                                                      Nov 19, 2024 14:33:06.687391996 CET49702443192.168.2.7104.26.13.205

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 19, 2024 14:30:56.528702974 CET5858153192.168.2.71.1.1.1
                                                      Nov 19, 2024 14:30:56.536036968 CET53585811.1.1.1192.168.2.7
                                                      Nov 19, 2024 14:31:07.271276951 CET4941953192.168.2.71.1.1.1
                                                      Nov 19, 2024 14:31:07.940645933 CET53494191.1.1.1192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Nov 19, 2024 14:30:56.528702974 CET192.168.2.71.1.1.10x5e24Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Nov 19, 2024 14:31:07.271276951 CET192.168.2.71.1.1.10xbf72Standard query (0)mail.showpiece.trillennium.bizA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 19, 2024 14:30:56.536036968 CET1.1.1.1192.168.2.70x5e24No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                      Nov 19, 2024 14:30:56.536036968 CET1.1.1.1192.168.2.70x5e24No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                      Nov 19, 2024 14:30:56.536036968 CET1.1.1.1192.168.2.70x5e24No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                      Nov 19, 2024 14:31:07.940645933 CET1.1.1.1192.168.2.70xbf72No error (0)mail.showpiece.trillennium.bizshowpiece.trillennium.bizCNAME (Canonical name)IN (0x0001)false
                                                      Nov 19, 2024 14:31:07.940645933 CET1.1.1.1192.168.2.70xbf72No error (0)showpiece.trillennium.biz67.23.226.139A (IP address)IN (0x0001)false

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:4
                                                      Start time:08:30:53
                                                      Start date:19/11/2024
                                                      Path:C:\Users\user\Desktop\Quotation.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                      Imagebase:0x50000
                                                      File size:670'208 bytes
                                                      MD5 hash:404A7CA256047297656926BBEA03415F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1294433791.0000000003439000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:08:30:54
                                                      Start date:19/11/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"
                                                      Imagebase:0x6e0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:08:30:54
                                                      Start date:19/11/2024
                                                      Path:C:\Users\user\Desktop\Quotation.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                      Imagebase:0x7ff7b4ee0000
                                                      File size:670'208 bytes
                                                      MD5 hash:404A7CA256047297656926BBEA03415F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:08:30:54
                                                      Start date:19/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:08:30:54
                                                      Start date:19/11/2024
                                                      Path:C:\Users\user\Desktop\Quotation.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                      Imagebase:0x200000
                                                      File size:670'208 bytes
                                                      MD5 hash:404A7CA256047297656926BBEA03415F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:08:30:54
                                                      Start date:19/11/2024
                                                      Path:C:\Users\user\Desktop\Quotation.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                                      Imagebase:0x6c0000
                                                      File size:670'208 bytes
                                                      MD5 hash:404A7CA256047297656926BBEA03415F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3738165227.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3738165227.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3734092750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:14
                                                      Start time:08:30:56
                                                      Start date:19/11/2024
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff7fb730000
                                                      File size:496'640 bytes
                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:10.1%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:131
                                                        Total number of Limit Nodes:6
                                                        execution_graph 27746 227ac70 27750 227ad68 27746->27750 27755 227ad58 27746->27755 27747 227ac7f 27751 227ad9c 27750->27751 27752 227ad79 27750->27752 27751->27747 27752->27751 27753 227afa0 GetModuleHandleW 27752->27753 27754 227afcd 27753->27754 27754->27747 27756 227ad79 27755->27756 27757 227ad9c 27755->27757 27756->27757 27758 227afa0 GetModuleHandleW 27756->27758 27757->27747 27759 227afcd 27758->27759 27759->27747 27882 227d000 27883 227d046 GetCurrentProcess 27882->27883 27885 227d091 27883->27885 27886 227d098 GetCurrentThread 27883->27886 27885->27886 27887 227d0d5 GetCurrentProcess 27886->27887 27888 227d0ce 27886->27888 27889 227d10b 27887->27889 27888->27887 27890 227d133 GetCurrentThreadId 27889->27890 27891 227d164 27890->27891 27892 227d650 DuplicateHandle 27893 227d6e6 27892->27893 27760 6b4252e 27761 6b424bc 27760->27761 27763 6b42531 27760->27763 27762 6b424ea 27761->27762 27776 6b42b15 27761->27776 27781 6b42b6d 27761->27781 27788 6b42a43 27761->27788 27793 6b42c45 27761->27793 27798 6b42cda 27761->27798 27802 6b42d19 27761->27802 27807 6b42959 27761->27807 27811 6b430dd 27761->27811 27815 6b42d52 27761->27815 27820 6b42d70 27761->27820 27825 6b42a57 27761->27825 27829 6b430b6 27761->27829 27777 6b42b1b 27776->27777 27834 6b40ee0 27777->27834 27838 6b40ee8 27777->27838 27778 6b42b4d 27778->27762 27842 6b40911 27781->27842 27846 6b40918 27781->27846 27782 6b42b87 27783 6b42ba6 27782->27783 27850 6b40860 27782->27850 27854 6b40868 27782->27854 27783->27762 27789 6b42a50 27788->27789 27858 6b40fd8 27789->27858 27862 6b40fd1 27789->27862 27790 6b43049 27794 6b42c4b 27793->27794 27796 6b40860 ResumeThread 27794->27796 27797 6b40868 ResumeThread 27794->27797 27795 6b42ba6 27795->27762 27796->27795 27797->27795 27866 6b40e20 27798->27866 27870 6b40e28 27798->27870 27799 6b42cf8 27803 6b42c71 27802->27803 27804 6b42ba6 27803->27804 27805 6b40860 ResumeThread 27803->27805 27806 6b40868 ResumeThread 27803->27806 27804->27762 27805->27804 27806->27804 27874 6b41164 27807->27874 27878 6b41170 27807->27878 27813 6b40ee0 WriteProcessMemory 27811->27813 27814 6b40ee8 WriteProcessMemory 27811->27814 27812 6b429b9 27813->27812 27814->27812 27816 6b42c72 27815->27816 27817 6b42ba6 27816->27817 27818 6b40860 ResumeThread 27816->27818 27819 6b40868 ResumeThread 27816->27819 27817->27762 27818->27817 27819->27817 27821 6b42d79 27820->27821 27823 6b40ee0 WriteProcessMemory 27821->27823 27824 6b40ee8 WriteProcessMemory 27821->27824 27822 6b4321e 27823->27822 27824->27822 27827 6b40911 Wow64SetThreadContext 27825->27827 27828 6b40918 Wow64SetThreadContext 27825->27828 27826 6b42a71 27826->27762 27827->27826 27828->27826 27830 6b42b4d 27829->27830 27831 6b42b2c 27829->27831 27830->27762 27832 6b40ee0 WriteProcessMemory 27831->27832 27833 6b40ee8 WriteProcessMemory 27831->27833 27832->27830 27833->27830 27835 6b40f30 WriteProcessMemory 27834->27835 27837 6b40f87 27835->27837 27837->27778 27839 6b40f30 WriteProcessMemory 27838->27839 27841 6b40f87 27839->27841 27841->27778 27843 6b40918 Wow64SetThreadContext 27842->27843 27845 6b409a5 27843->27845 27845->27782 27847 6b4095d Wow64SetThreadContext 27846->27847 27849 6b409a5 27847->27849 27849->27782 27851 6b408a8 ResumeThread 27850->27851 27853 6b408d9 27851->27853 27853->27783 27855 6b408a8 ResumeThread 27854->27855 27857 6b408d9 27855->27857 27857->27783 27859 6b41023 ReadProcessMemory 27858->27859 27861 6b41067 27859->27861 27861->27790 27863 6b40fdd ReadProcessMemory 27862->27863 27865 6b41067 27863->27865 27865->27790 27867 6b40e68 VirtualAllocEx 27866->27867 27869 6b40ea5 27867->27869 27869->27799 27871 6b40e68 VirtualAllocEx 27870->27871 27873 6b40ea5 27871->27873 27873->27799 27875 6b41175 CreateProcessA 27874->27875 27877 6b413bb 27875->27877 27879 6b411f9 CreateProcessA 27878->27879 27881 6b413bb 27879->27881 27715 6b438b8 27716 6b438de 27715->27716 27717 6b43a43 27715->27717 27716->27717 27720 6b43b30 27716->27720 27723 6b43b38 PostMessageW 27716->27723 27721 6b43b3d PostMessageW 27720->27721 27722 6b43ba4 27721->27722 27722->27716 27724 6b43ba4 27723->27724 27724->27716 27725 2274668 27726 227467a 27725->27726 27727 2274686 27726->27727 27729 2274779 27726->27729 27730 227479d 27729->27730 27734 2274879 27730->27734 27738 2274888 27730->27738 27736 2274888 27734->27736 27735 227498c 27736->27735 27742 22744b4 27736->27742 27740 22748af 27738->27740 27739 227498c 27739->27739 27740->27739 27741 22744b4 CreateActCtxA 27740->27741 27741->27739 27743 2275918 CreateActCtxA 27742->27743 27745 22759db 27743->27745

                                                        Executed Functions

                                                        Function 06A034B8 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 496 6a034b8-6a034e0 497 6a034e2 496->497 498 6a034e7-6a035a3 496->498 497->498 501 6a035a5-6a035a6 498->501 502 6a035a8-6a035b5 498->502 503 6a035c7-6a035cb 501->503 502->501 502->503 504 6a035d1-6a035fb 503->504 505 6a03abb-6a03afd 503->505 508 6a03601-6a03619 504->508 509 6a03cc8-6a03cd4 504->509 514 6a03b00-6a03b04 505->514 510 6a03cda-6a03ce3 508->510 511 6a0361f-6a03620 508->511 509->510 517 6a03ce9-6a03cf5 510->517 513 6a03cae-6a03cba 511->513 518 6a03cc0-6a03cc7 513->518 519 6a03625-6a03631 513->519 515 6a036d6-6a036da 514->515 516 6a03b0a-6a03b10 514->516 521 6a036ec-6a036f2 515->521 522 6a036dc-6a036ea 515->522 516->505 520 6a03b12-6a03b6d 516->520 525 6a03cfb-6a03d07 517->525 523 6a03633 519->523 524 6a03638-6a03653 519->524 544 6a03ba4-6a03bce 520->544 545 6a03b6f-6a03ba2 520->545 527 6a03737-6a0373b 521->527 526 6a0374a-6a0377c 522->526 523->524 524->517 528 6a03659-6a0367e 524->528 532 6a03d0d-6a03d14 525->532 550 6a037a6 526->550 551 6a0377e-6a0378a 526->551 529 6a036f4-6a03700 527->529 530 6a0373d 527->530 528->525 542 6a03684-6a03686 528->542 535 6a03702 529->535 536 6a03707-6a0370f 529->536 533 6a03740-6a03744 530->533 533->526 538 6a036bc-6a036d3 533->538 535->536 540 6a03711-6a03725 536->540 541 6a03734 536->541 538->515 543 6a03689-6a03694 540->543 547 6a0372b-6a03732 540->547 541->527 542->543 543->532 548 6a0369a-6a036b7 543->548 559 6a03bd7-6a03c56 544->559 545->559 547->530 548->533 556 6a037ac-6a037d9 550->556 553 6a03794-6a0379a 551->553 554 6a0378c-6a03792 551->554 560 6a037a4 553->560 554->560 563 6a03828-6a038bb 556->563 564 6a037db-6a03813 556->564 571 6a03c5d-6a03c70 559->571 560->556 579 6a038c4-6a038c5 563->579 580 6a038bd 563->580 572 6a03c7f-6a03c84 564->572 571->572 573 6a03c86-6a03c94 572->573 574 6a03c9b-6a03cab 572->574 573->574 574->513 581 6a03916-6a0391c 579->581 580->579 582 6a038c7-6a038e6 581->582 583 6a0391e-6a039e0 581->583 584 6a038e8 582->584 585 6a038ed-6a03913 582->585 594 6a03a21-6a03a25 583->594 595 6a039e2-6a03a1b 583->595 584->585 585->581 596 6a03a66-6a03a6a 594->596 597 6a03a27-6a03a60 594->597 595->594 598 6a03aab-6a03aaf 596->598 599 6a03a6c-6a03aa5 596->599 597->596 598->520 602 6a03ab1-6a03ab9 598->602 599->598 602->514
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'q$:$pq$~
                                                        • API String ID: 0-4038137657
                                                        • Opcode ID: 6fc42037eafedcc5b19e7018c22138e18d46b6214710a03e7d66ea733366fa01
                                                        • Instruction ID: f3d668552bb2a24ea0c1876a031c01d49b34890f6ef9f699f593f8f7ad32d659
                                                        • Opcode Fuzzy Hash: 6fc42037eafedcc5b19e7018c22138e18d46b6214710a03e7d66ea733366fa01
                                                        • Instruction Fuzzy Hash: 9842F275E00218DFEB55DFA9D980B99BBB2FF88300F1580E9E509AB261D731AD91CF50
                                                        Function 06A02106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 670 6a02106-6a0210a 671 6a0210b-6a02120 670->671 672 6a02acd-6a02ae3 670->672 671->672 673 6a02121-6a0212c 671->673 675 6a02132-6a0213e 673->675 676 6a0214a-6a02159 675->676 678 6a021b8-6a021bc 676->678 679 6a021c2-6a021cb 678->679 680 6a02264-6a022ce 678->680 681 6a021d1-6a021e7 679->681 682 6a020c6-6a020d2 679->682 680->672 719 6a022d4-6a0281b 680->719 690 6a02239-6a0224b 681->690 691 6a021e9-6a021ec 681->691 682->672 684 6a020d8-6a020e4 682->684 685 6a020e6-6a020fa 684->685 686 6a0215b-6a02161 684->686 685->686 696 6a020fc-6a02105 685->696 686->672 688 6a02167-6a0217f 686->688 688->672 699 6a02185-6a021ad 688->699 700 6a02251-6a02261 690->700 701 6a02a0c-6a02ac2 690->701 691->672 693 6a021f2-6a0222f 691->693 693->680 714 6a02231-6a02237 693->714 696->670 699->678 701->672 714->690 714->691 796 6a02832-6a028c5 719->796 797 6a0281d-6a02827 719->797 798 6a028d0-6a02963 796->798 797->798 799 6a0282d 797->799 800 6a0296e-6a02a01 798->800 799->800 800->701
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: D
                                                        • API String ID: 0-2746444292
                                                        • Opcode ID: 2c5085888ede12ee2867bc087a707ed7d30ee359ec98c853a25eadb287893fee
                                                        • Instruction ID: de1805f8957cd03bb3061edb3e9079ce94e4cfb3b49f5c7b185bbeffee3c3a2e
                                                        • Opcode Fuzzy Hash: 2c5085888ede12ee2867bc087a707ed7d30ee359ec98c853a25eadb287893fee
                                                        • Instruction Fuzzy Hash: E852A674A012298FDB64DF64D998B9DB7B2FF89301F1081E9D50AA7365CB34AE81CF50
                                                        Function 0227A3F0 Relevance: .7, Instructions: 662COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a1d3e1269bbd25e28be074cc6b3abb2ee38c0ca08aa748828f4769fbd1818681
                                                        • Instruction ID: 1c013bcd846932adbc4fc856272df789a04305f00c007ed7ea63e1fe2f5a2a7c
                                                        • Opcode Fuzzy Hash: a1d3e1269bbd25e28be074cc6b3abb2ee38c0ca08aa748828f4769fbd1818681
                                                        • Instruction Fuzzy Hash: B842F030A147168FCB15CFA8C880AAEB7F6FF45320B058969D856DB299D730FD95CB90
                                                        Function 06B448A0 Relevance: .4, Instructions: 409COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3916697390288debcfe22be826294cb444068ef3441908691086c44d827b5c6
                                                        • Instruction ID: 81e5db3ea6cf01dfce16237e3d8e45df58c66da6f0bc702ac2bcfeadfa967b50
                                                        • Opcode Fuzzy Hash: c3916697390288debcfe22be826294cb444068ef3441908691086c44d827b5c6
                                                        • Instruction Fuzzy Hash: D6E1CBB0B017048FDB65EBB9C560BAEB7FBEF89701F1444A9D14A9B290CB35E801DB50
                                                        Function 06A0BCB8 Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9c0f470f4eb82bff7bd1ccf691c84c076d74a2dbb49252b9cb13463bce879e3
                                                        • Instruction ID: af84296a0cbff5e2656305e4135e4b8b7e3addbfc6cb1f334f45cdb0223caff0
                                                        • Opcode Fuzzy Hash: b9c0f470f4eb82bff7bd1ccf691c84c076d74a2dbb49252b9cb13463bce879e3
                                                        • Instruction Fuzzy Hash: 2921E5B1D046589FEB18CFA7D8447DEFFF6AF89300F04C16AD409AA294DB7509468FA1
                                                        Function 06A02C38 Relevance: 7.9, Strings: 6, Instructions: 443COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 294 6a02c38-6a02c4a 295 6a02c53-6a02c5f 294->295 296 6a02c4c-6a02c4e 294->296 299 6a02c61-6a02c63 295->299 300 6a02c68-6a02c7d 295->300 297 6a02d26-6a02d2b 296->297 299->297 303 6a02c91-6a02c9d 300->303 304 6a02c7f-6a02c8a 300->304 307 6a02caa-6a02cac 303->307 308 6a02c9f-6a02ca8 303->308 304->303 309 6a02cbc-6a02cc0 307->309 310 6a02cae-6a02cba 307->310 308->307 311 6a02cc2-6a02ccc 309->311 312 6a02cce-6a02cd0 309->312 310->309 316 6a02cd2-6a02cdc 310->316 317 6a02d38-6a02d44 311->317 312->297 320 6a02d2c-6a02d36 316->320 321 6a02cde-6a02cea 316->321 322 6a02d51-6a02d53 317->322 323 6a02d46-6a02d4f 317->323 320->317 326 6a02cfc-6a02cfe 321->326 327 6a02cec-6a02cfa 321->327 322->297 323->297 326->297 327->326 330 6a02d00-6a02d06 327->330 331 6a02d08 330->331 332 6a02d0a 330->332 333 6a02d0c-6a02d0e 331->333 332->333 334 6a02d10-6a02d1c 333->334 335 6a02d55-6a02de1 333->335 334->335 338 6a02d1e 334->338 348 6a02de3-6a02ded 335->348 349 6a02def-6a02e0b 335->349 338->297 348->349 352 6a02e28-6a02e3c 348->352 354 6a02e23-6a02e25 349->354 355 6a02e0d-6a02e21 349->355 359 6a02e43-6a02e79 352->359 355->354 355->359 364 6a02f4e-6a02f51 359->364 365 6a02e7f-6a02e91 359->365 367 6a02e93-6a02e96 365->367 368 6a02ea6-6a02ea9 365->368 369 6a02f1b-6a02f21 367->369 370 6a02e9c-6a02e9f 367->370 371 6a02eb9-6a02ebf 368->371 372 6a02eab-6a02eae 368->372 373 6a02f23-6a02f25 369->373 374 6a02f27-6a02f33 369->374 377 6a02ea1 370->377 378 6a02eea-6a02ef0 370->378 375 6a02ec1-6a02ec3 371->375 376 6a02ec5-6a02ed1 371->376 379 6a02eb4 372->379 380 6a02f4a-6a02f4c 372->380 381 6a02f35-6a02f48 373->381 374->381 382 6a02ed3-6a02ee8 375->382 376->382 377->380 383 6a02ef2-6a02ef4 378->383 384 6a02ef6-6a02f02 378->384 379->380 380->364 385 6a02f52-6a02fe5 380->385 381->380 382->380 388 6a02f04-6a02f19 383->388 384->388 401 6a02fe7 385->401 402 6a02fec-6a03000 385->402 388->380 401->402 403 6a030f4 402->403 404 6a03006-6a0300b 402->404 407 6a030fa-6a030fb 403->407 405 6a03011-6a03016 404->405 406 6a030c6 404->406 408 6a03100 405->408 409 6a0301c-6a0301d 405->409 450 6a030c9 call 6a08508 406->450 451 6a030c9 call 6a084fa 406->451 407->404 441 6a03100 call 6a032d0 408->441 442 6a03100 call 6a032c2 408->442 434 6a03020 call 6a03d30 409->434 435 6a03020 call 6a03d21 409->435 436 6a03020 call 6a03d9e 409->436 410 6a030cf-6a030da 418 6a030e3 410->418 419 6a030dc-6a030e0 410->419 411 6a03026-6a03033 413 6a03039-6a0303d 411->413 414 6a0310c-6a03113 411->414 412 6a03106-6a03107 412->409 416 6a03043-6a0305b 413->416 417 6a03118-6a0311f 413->417 414->413 425 6a03061-6a03064 416->425 426 6a03124-6a0312b 416->426 417->416 437 6a030e3 call 6b43850 418->437 438 6a030e3 call 6b43840 418->438 420 6a030e2 419->420 421 6a03086-6a03087 419->421 420->418 443 6a0308a call 6a06c28 421->443 444 6a0308a call 6a06c18 421->444 424 6a030e9-6a030f1 445 6a03067 call 6a043b0 425->445 446 6a03067 call 6a043c0 425->446 426->425 427 6a03090-6a0309c 447 6a0309f call 6a07f50 427->447 448 6a0309f call 6a07f41 427->448 449 6a0309f call 6a07ef9 427->449 428 6a0306d-6a0307a 431 6a03130-6a03137 428->431 432 6a03080 428->432 429 6a030a5-6a030b2 429->418 430 6a030b4 429->430 439 6a030b7 call 6a083c8 430->439 440 6a030b7 call 6a083d8 430->440 431->432 432->421 433 6a030bd-6a030c3 433->406 434->411 435->411 436->411 437->424 438->424 439->433 440->433 441->412 442->412 443->427 444->427 445->428 446->428 447->429 448->429 449->429 450->410 451->410
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'q$4'q$4'q$4|q$4|q$$q
                                                        • API String ID: 0-3102600102
                                                        • Opcode ID: a8297ebe2e9ca958bd76392e54ab6cb3c255541a5eca3f484d9a4696917ec713
                                                        • Instruction ID: dd8709c91ee6e58cd16d7256e2ecc365bfe366aa7c0e1399f92f35b8c44203e7
                                                        • Opcode Fuzzy Hash: a8297ebe2e9ca958bd76392e54ab6cb3c255541a5eca3f484d9a4696917ec713
                                                        • Instruction Fuzzy Hash: 27E1BC30F042198FEB59EF79E85866E7BF6EF89301B194469E406DB3A1DA34CD01CB90
                                                        Function 0227CFF1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 452 227cff1-227d08f GetCurrentProcess 456 227d091-227d097 452->456 457 227d098-227d0cc GetCurrentThread 452->457 456->457 458 227d0d5-227d109 GetCurrentProcess 457->458 459 227d0ce-227d0d4 457->459 461 227d112-227d12d call 227d5d9 458->461 462 227d10b-227d111 458->462 459->458 465 227d133-227d162 GetCurrentThreadId 461->465 462->461 466 227d164-227d16a 465->466 467 227d16b-227d1cd 465->467 466->467
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 0227D07E
                                                        • GetCurrentThread.KERNEL32 ref: 0227D0BB
                                                        • GetCurrentProcess.KERNEL32 ref: 0227D0F8
                                                        • GetCurrentThreadId.KERNEL32 ref: 0227D151
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 250eae90d8961a7d4b808a621f0972c28fc310b3a7f742aaf719981edcab95eb
                                                        • Instruction ID: 06623b13f6a0a27b90f4b045fc268a15860e73bf3e134102ebe81020d291fe5a
                                                        • Opcode Fuzzy Hash: 250eae90d8961a7d4b808a621f0972c28fc310b3a7f742aaf719981edcab95eb
                                                        • Instruction Fuzzy Hash: 765167B0D003498FEB14DFAAD549B9EBBF1EF88314F208459E419A73A0DB345945CF65
                                                        Function 0227D000 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 474 227d000-227d08f GetCurrentProcess 478 227d091-227d097 474->478 479 227d098-227d0cc GetCurrentThread 474->479 478->479 480 227d0d5-227d109 GetCurrentProcess 479->480 481 227d0ce-227d0d4 479->481 483 227d112-227d12d call 227d5d9 480->483 484 227d10b-227d111 480->484 481->480 487 227d133-227d162 GetCurrentThreadId 483->487 484->483 488 227d164-227d16a 487->488 489 227d16b-227d1cd 487->489 488->489
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 0227D07E
                                                        • GetCurrentThread.KERNEL32 ref: 0227D0BB
                                                        • GetCurrentProcess.KERNEL32 ref: 0227D0F8
                                                        • GetCurrentThreadId.KERNEL32 ref: 0227D151
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: ebfbef37302cff7a21e6efc3d11188456f90dd0bbd38961864ed29f06b4c77ba
                                                        • Instruction ID: 7e750f37b362269ee0910523e712ec0bc47208f5c43124f2fd60c28b29e00ad6
                                                        • Opcode Fuzzy Hash: ebfbef37302cff7a21e6efc3d11188456f90dd0bbd38961864ed29f06b4c77ba
                                                        • Instruction Fuzzy Hash: 015187B0D003098FEB14DFAAD549B9EBBF1EF88314F208459E419A73A0CB346945CF65
                                                        Function 06B41164 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 825 6b41164-6b41205 828 6b41207-6b41211 825->828 829 6b4123e-6b4125e 825->829 828->829 830 6b41213-6b41215 828->830 836 6b41297-6b412c6 829->836 837 6b41260-6b4126a 829->837 831 6b41217-6b41221 830->831 832 6b41238-6b4123b 830->832 834 6b41225-6b41234 831->834 835 6b41223 831->835 832->829 834->834 838 6b41236 834->838 835->834 843 6b412ff-6b413b9 CreateProcessA 836->843 844 6b412c8-6b412d2 836->844 837->836 839 6b4126c-6b4126e 837->839 838->832 841 6b41270-6b4127a 839->841 842 6b41291-6b41294 839->842 845 6b4127c 841->845 846 6b4127e-6b4128d 841->846 842->836 857 6b413c2-6b41448 843->857 858 6b413bb-6b413c1 843->858 844->843 847 6b412d4-6b412d6 844->847 845->846 846->846 848 6b4128f 846->848 849 6b412d8-6b412e2 847->849 850 6b412f9-6b412fc 847->850 848->842 852 6b412e4 849->852 853 6b412e6-6b412f5 849->853 850->843 852->853 853->853 854 6b412f7 853->854 854->850 868 6b41458-6b4145c 857->868 869 6b4144a-6b4144e 857->869 858->857 871 6b4146c-6b41470 868->871 872 6b4145e-6b41462 868->872 869->868 870 6b41450 869->870 870->868 874 6b41480-6b41484 871->874 875 6b41472-6b41476 871->875 872->871 873 6b41464 872->873 873->871 877 6b41496-6b4149d 874->877 878 6b41486-6b4148c 874->878 875->874 876 6b41478 875->876 876->874 879 6b414b4 877->879 880 6b4149f-6b414ae 877->880 878->877 882 6b414b5 879->882 880->879 882->882
                                                        APIs
                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06B413A6
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: a34e1322683ff4ebaa56f9627c3406c2a4abafe164b505070b5ec74c2f3d721d
                                                        • Instruction ID: 01f5c7b66ade689e95ea15f9aff8ac51e59403847f0a2f403487c9b8ddac8014
                                                        • Opcode Fuzzy Hash: a34e1322683ff4ebaa56f9627c3406c2a4abafe164b505070b5ec74c2f3d721d
                                                        • Instruction Fuzzy Hash: C9915AB1D007198FEB64DFA8C840BEDBBB2FB49314F1485A9E808E7240DB759985DF91
                                                        Function 06B41170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 883 6b41170-6b41205 885 6b41207-6b41211 883->885 886 6b4123e-6b4125e 883->886 885->886 887 6b41213-6b41215 885->887 893 6b41297-6b412c6 886->893 894 6b41260-6b4126a 886->894 888 6b41217-6b41221 887->888 889 6b41238-6b4123b 887->889 891 6b41225-6b41234 888->891 892 6b41223 888->892 889->886 891->891 895 6b41236 891->895 892->891 900 6b412ff-6b413b9 CreateProcessA 893->900 901 6b412c8-6b412d2 893->901 894->893 896 6b4126c-6b4126e 894->896 895->889 898 6b41270-6b4127a 896->898 899 6b41291-6b41294 896->899 902 6b4127c 898->902 903 6b4127e-6b4128d 898->903 899->893 914 6b413c2-6b41448 900->914 915 6b413bb-6b413c1 900->915 901->900 904 6b412d4-6b412d6 901->904 902->903 903->903 905 6b4128f 903->905 906 6b412d8-6b412e2 904->906 907 6b412f9-6b412fc 904->907 905->899 909 6b412e4 906->909 910 6b412e6-6b412f5 906->910 907->900 909->910 910->910 911 6b412f7 910->911 911->907 925 6b41458-6b4145c 914->925 926 6b4144a-6b4144e 914->926 915->914 928 6b4146c-6b41470 925->928 929 6b4145e-6b41462 925->929 926->925 927 6b41450 926->927 927->925 931 6b41480-6b41484 928->931 932 6b41472-6b41476 928->932 929->928 930 6b41464 929->930 930->928 934 6b41496-6b4149d 931->934 935 6b41486-6b4148c 931->935 932->931 933 6b41478 932->933 933->931 936 6b414b4 934->936 937 6b4149f-6b414ae 934->937 935->934 939 6b414b5 936->939 937->936 939->939
                                                        APIs
                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06B413A6
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: c723c81fef1262da8fc50dffadab2ff665959ae0b2973c679190a8cb0c43d175
                                                        • Instruction ID: f0e5e6dbc31deddaa320f15189f21f5b9f86cfc0e5eca6d93d3dfd6aedda20d0
                                                        • Opcode Fuzzy Hash: c723c81fef1262da8fc50dffadab2ff665959ae0b2973c679190a8cb0c43d175
                                                        • Instruction Fuzzy Hash: 8F915AB1D007198FEB64DFA8C840BEDBBB2FB49314F1485A9E808E7240DB759985DF91
                                                        Function 0227AD68 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 940 227ad68-227ad77 941 227ada3-227ada7 940->941 942 227ad79-227ad86 call 227a08c 940->942 943 227adbb-227adfc 941->943 944 227ada9-227adb3 941->944 947 227ad9c 942->947 948 227ad88 942->948 951 227adfe-227ae06 943->951 952 227ae09-227ae17 943->952 944->943 947->941 995 227ad8e call 227aff0 948->995 996 227ad8e call 227b000 948->996 951->952 954 227ae3b-227ae3d 952->954 955 227ae19-227ae1e 952->955 953 227ad94-227ad96 953->947 956 227aed8-227af98 953->956 957 227ae40-227ae47 954->957 958 227ae20-227ae27 call 227a098 955->958 959 227ae29 955->959 990 227afa0-227afcb GetModuleHandleW 956->990 991 227af9a-227af9d 956->991 962 227ae54-227ae5b 957->962 963 227ae49-227ae51 957->963 961 227ae2b-227ae39 958->961 959->961 961->957 965 227ae5d-227ae65 962->965 966 227ae68-227ae71 call 227a0a8 962->966 963->962 965->966 971 227ae73-227ae7b 966->971 972 227ae7e-227ae83 966->972 971->972 973 227ae85-227ae8c 972->973 974 227aea1-227aea5 972->974 973->974 976 227ae8e-227ae9e call 227a0b8 call 227a0c8 973->976 979 227aeab-227aeae 974->979 976->974 981 227aed1-227aed7 979->981 982 227aeb0-227aece 979->982 982->981 992 227afd4-227afe8 990->992 993 227afcd-227afd3 990->993 991->990 993->992 995->953 996->953
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0227AFBE
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 6bad089439012b3d336336695fd163544d8bf0da6c0aa1e07b76bb24cad1ccbd
                                                        • Instruction ID: 7d3950abb41389ae4cd5b6480d4ded1722b303cd6af788530e2f518d1a6599ca
                                                        • Opcode Fuzzy Hash: 6bad089439012b3d336336695fd163544d8bf0da6c0aa1e07b76bb24cad1ccbd
                                                        • Instruction Fuzzy Hash: 5F716770A14B068FD724DFAAD44075ABBF1FF88314F008A2DD48ADBA54DB75E809CB95
                                                        Function 0227590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 997 227590c-2275916 998 2275918-22759d9 CreateActCtxA 997->998 1000 22759e2-2275a3c 998->1000 1001 22759db-22759e1 998->1001 1008 2275a3e-2275a41 1000->1008 1009 2275a4b-2275a4f 1000->1009 1001->1000 1008->1009 1010 2275a51-2275a5d 1009->1010 1011 2275a60 1009->1011 1010->1011 1013 2275a61 1011->1013 1013->1013
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 022759C9
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 0db48929f2d801f1985f154be40e27df97cae76b8ff14d3f67d854411db50295
                                                        • Instruction ID: acade4fa4275aad28b3831dc118eb2349f59c919bf9f71bdf6c236460fdb69ad
                                                        • Opcode Fuzzy Hash: 0db48929f2d801f1985f154be40e27df97cae76b8ff14d3f67d854411db50295
                                                        • Instruction Fuzzy Hash: 6541F271C00719CBEB24DFAAC88578EFBF5BF49304F60816AD408AB255DB756946CF90
                                                        Function 022744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1014 22744b4-22759d9 CreateActCtxA 1017 22759e2-2275a3c 1014->1017 1018 22759db-22759e1 1014->1018 1025 2275a3e-2275a41 1017->1025 1026 2275a4b-2275a4f 1017->1026 1018->1017 1025->1026 1027 2275a51-2275a5d 1026->1027 1028 2275a60 1026->1028 1027->1028 1030 2275a61 1028->1030 1030->1030
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 022759C9
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 06c685574ee6765e8d6883e1fc78c52cfcffc4d3e5b5b7866d268ce9616a61b4
                                                        • Instruction ID: 67a15e9a9ad1ea2878a6febe173872422e547739360da21a7c26a50441dda750
                                                        • Opcode Fuzzy Hash: 06c685574ee6765e8d6883e1fc78c52cfcffc4d3e5b5b7866d268ce9616a61b4
                                                        • Instruction Fuzzy Hash: 5241E171C14719CBEB24DFAAC84578EFBB5BF48304F60806AD408AB255DB756946CF90
                                                        Function 06B40EE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1031 6b40ee0-6b40f36 1033 6b40f46-6b40f85 WriteProcessMemory 1031->1033 1034 6b40f38-6b40f44 1031->1034 1036 6b40f87-6b40f8d 1033->1036 1037 6b40f8e-6b40fbe 1033->1037 1034->1033 1036->1037
                                                        APIs
                                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06B40F78
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: ce8c35176d10ec7fe8dcfdec17dd31270942ebf4eedbe90d7c6c22836025f041
                                                        • Instruction ID: b854d06dc6d94df78e64fb9a411e577d65da118cc565dd8bf7cb56a77cef5bbd
                                                        • Opcode Fuzzy Hash: ce8c35176d10ec7fe8dcfdec17dd31270942ebf4eedbe90d7c6c22836025f041
                                                        • Instruction Fuzzy Hash: E7214B75D013099FDB10DFA9C885BDEBBF1FF48310F50842AE959A7240D7789941DBA4
                                                        Function 06B40EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1041 6b40ee8-6b40f36 1043 6b40f46-6b40f85 WriteProcessMemory 1041->1043 1044 6b40f38-6b40f44 1041->1044 1046 6b40f87-6b40f8d 1043->1046 1047 6b40f8e-6b40fbe 1043->1047 1044->1043 1046->1047
                                                        APIs
                                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06B40F78
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: b53d2b299c1d96db8d723a3236ace2576391ace52903cf79a2b07d424f1f117a
                                                        • Instruction ID: 2c3ecac998733b07fcc16127325b08ee0aec9c1168f9623aee4b4a173401a5e8
                                                        • Opcode Fuzzy Hash: b53d2b299c1d96db8d723a3236ace2576391ace52903cf79a2b07d424f1f117a
                                                        • Instruction Fuzzy Hash: 8E2127B5D013099FDB10DFAAC881BDEBBF5FF48310F508429E918A7240C7799941DBA5
                                                        Function 0227D648 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0227D6D7
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: db50a689c02c7a09666f3a7bf94f5669f22dad599036e24dbff7df0d58fbc7fd
                                                        • Instruction ID: c09a2f18ae20defb3e34d946ccf473a9896243ff2ed9b4584b3fb33e07a755bd
                                                        • Opcode Fuzzy Hash: db50a689c02c7a09666f3a7bf94f5669f22dad599036e24dbff7df0d58fbc7fd
                                                        • Instruction Fuzzy Hash: 9E21E6B5D012099FDB10CF9AD984ADEBBF5FF48310F14841AE918A7350D379A941CFA4
                                                        Function 06B40911 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B40996
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: ccf5872b163c1e57d719a4a9fb218207482ae7e3145792af7cd99b1b9236532e
                                                        • Instruction ID: 8ed6211649e9ed6537dcebc3d5ac1954ec9e76095d22e685f53e5a38869b686f
                                                        • Opcode Fuzzy Hash: ccf5872b163c1e57d719a4a9fb218207482ae7e3145792af7cd99b1b9236532e
                                                        • Instruction Fuzzy Hash: 5A213AB1D003098FDB10DFAAC4857EEBBF4EF48310F548429D559A7241CB79A945CFA5
                                                        Function 06B40FD1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06B41058
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: e9ad8d3a6b64bb344268213383b030d72cf020dbe761c07a13455563f35b2b0e
                                                        • Instruction ID: 1279ea4ed50b3a37a9e8d057b0efebc23bc7185d4d78c8393419096ba083a803
                                                        • Opcode Fuzzy Hash: e9ad8d3a6b64bb344268213383b030d72cf020dbe761c07a13455563f35b2b0e
                                                        • Instruction Fuzzy Hash: A22125B5C003498FDB10DFA9C980BEEBBB1FF48310F50882AE529A3250C7799941DBA0
                                                        Function 06B40FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06B41058
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: d635489055bbb558d034ccff0765891087569b53865d03365308f3d09e05135c
                                                        • Instruction ID: 90b0aa6953c901be331883ecba6ab40f35c5ccc1c0a51e84cc2bf66ffa5d9fd1
                                                        • Opcode Fuzzy Hash: d635489055bbb558d034ccff0765891087569b53865d03365308f3d09e05135c
                                                        • Instruction Fuzzy Hash: F821F8B1D013499FDB10DFAAC841BEEBBF5FF48310F508429E919A7240C7799951DBA4
                                                        Function 06B40918 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B40996
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 58459cf251b68340df36cef49ccb2ebcc9fa0458cc160dca5891c43458cf8b82
                                                        • Instruction ID: d972bbdc8081b34608e05c3f6a7fa5edae157dcf46a1a55bc75720312cd88234
                                                        • Opcode Fuzzy Hash: 58459cf251b68340df36cef49ccb2ebcc9fa0458cc160dca5891c43458cf8b82
                                                        • Instruction Fuzzy Hash: 542138B1D003098FDB10EFAAC4857AEBBF4EF48310F548429D559A7241CB79A945CFA4
                                                        Function 0227D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0227D6D7
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 884823fde156f9129e34977d7fd037cfda9d5685ebbac5e8560b0cbd88fa1fed
                                                        • Instruction ID: a4dabdaccedbf74dcce4f2ba3e8e674abe6ae2e221000b852d0da3cf29baadc7
                                                        • Opcode Fuzzy Hash: 884823fde156f9129e34977d7fd037cfda9d5685ebbac5e8560b0cbd88fa1fed
                                                        • Instruction Fuzzy Hash: 8C21E4B5D002099FDB10CFAAD984ADEBBF8FB48310F14841AE918A3350D379A940CFA4
                                                        Function 06A04FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: ddd956e6ed2ee04d1aa2ccdd72147d9b29031c2b2dfbfa2a6be8217b8d9fa1a4
                                                        • Instruction ID: 7a6ded220985af1ffe8818e37f257b81390593518d4d1ee71652f5e902f406a2
                                                        • Opcode Fuzzy Hash: ddd956e6ed2ee04d1aa2ccdd72147d9b29031c2b2dfbfa2a6be8217b8d9fa1a4
                                                        • Instruction Fuzzy Hash: AAE18074E042188FEB50DFA9D980A9DBBF1FB49314F2481AAD858EB345D731AE85CF50
                                                        Function 06B40E20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06B40E96
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: a0c5a0d3d0c3e8ade832aecbeee1050ad79ff8481a3655fd0e372359f38c3e44
                                                        • Instruction ID: 89913d598e4e36a9374dde9c56fdb1b4a80900d1fb5f99a005e0bbece5840201
                                                        • Opcode Fuzzy Hash: a0c5a0d3d0c3e8ade832aecbeee1050ad79ff8481a3655fd0e372359f38c3e44
                                                        • Instruction Fuzzy Hash: 6F114772D003499FDB20EFAAC845BDEBBF5EB48310F208819E525A7250CB75A941DFA4
                                                        Function 06B40E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06B40E96
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 49fe149408b21fdd042b882990cd2c2fc9160392b18194d1d38cccaf05098c03
                                                        • Instruction ID: a0bcccd8e2eb568b7c57a560696494c00cc789da3e7a0621ff7fa9691ad04b6b
                                                        • Opcode Fuzzy Hash: 49fe149408b21fdd042b882990cd2c2fc9160392b18194d1d38cccaf05098c03
                                                        • Instruction Fuzzy Hash: F7112972C003499FDB20DFAAC845BDEBBF5EB48310F148819E515A7250C775A551DFA4
                                                        Function 06B40860 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0C069B2A), ref: 06B408CA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: fa2342eac9f31022f379370e8ed7f645cc381144bd41dc0c581ae35b63df52af
                                                        • Instruction ID: 27702dde1ab370690e94598fe06c01b8df752f77e85dfa154167e5f3215a200a
                                                        • Opcode Fuzzy Hash: fa2342eac9f31022f379370e8ed7f645cc381144bd41dc0c581ae35b63df52af
                                                        • Instruction Fuzzy Hash: 011158B1D003498FDB20EFAAC5457AEFBF4EB48320F248819D519A7640CB796540CFA4
                                                        Function 06B40868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0C069B2A), ref: 06B408CA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 6b6e48b761afe0930fe996e7d0cec148c3fcccd8606bc1e4b491c6ae99dcad61
                                                        • Instruction ID: 4c2ff77226b286c2b551f96e89a46083daae34a5f6c01adc81feb4300682a334
                                                        • Opcode Fuzzy Hash: 6b6e48b761afe0930fe996e7d0cec148c3fcccd8606bc1e4b491c6ae99dcad61
                                                        • Instruction Fuzzy Hash: 01113AB1D003498FDB20EFAAC44579EFBF5EB48320F248829D519A7240CB796945CF94
                                                        Function 0227AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0227AFBE
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 22ddd3594291ca7991255aa8ff94a1ffb565fb71ed88af0793359c72e69e045c
                                                        • Instruction ID: 1d4da18d04d37d64b42cf5eaa269580960dd5eeda6ff3fb8bd4b18cba1876750
                                                        • Opcode Fuzzy Hash: 22ddd3594291ca7991255aa8ff94a1ffb565fb71ed88af0793359c72e69e045c
                                                        • Instruction Fuzzy Hash: E91110B6C043498FCB20DF9AD444BDEFBF4EB88324F10842AD429A7614C77AA545CFA5
                                                        Function 06B43B30 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06B43B95
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 5dda2fc1567b54cf03991ad17448e456c1524f8041753c8c04b86e8d1248c44b
                                                        • Instruction ID: 17938002a2264fbd3d4bc0637ed6f77a2b35e4ccb326c1573ff55e9a6c0cc14f
                                                        • Opcode Fuzzy Hash: 5dda2fc1567b54cf03991ad17448e456c1524f8041753c8c04b86e8d1248c44b
                                                        • Instruction Fuzzy Hash: A21103B6C00649CFDB10EF9AD985BDEBBF4EB48310F14881AD568A7650C375A944CFA1
                                                        Function 06B43B38 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06B43B95
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 7106607febca0f3a264f1db723295443961f8d09ab17d42a0ff0c0d1a224f37b
                                                        • Instruction ID: 763ca038d5a98cf8426d609383edc1e6d92a9641e27c45ba2e75618f71a32004
                                                        • Opcode Fuzzy Hash: 7106607febca0f3a264f1db723295443961f8d09ab17d42a0ff0c0d1a224f37b
                                                        • Instruction Fuzzy Hash: 5B11D3B58007499FDB10DF9AD885BDEBBF8EB48320F148859D518A7240C375A944CFA5
                                                        Function 06A03D9E Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: 3178fee2d420f3009daf7138d3dd650c2080e0de59b5b24132f9e3ed89bc13d4
                                                        • Instruction ID: 580c2c6578a85dcd552d2ac1b94d76097c7b8c52729efb94eeab3c0257b7c14c
                                                        • Opcode Fuzzy Hash: 3178fee2d420f3009daf7138d3dd650c2080e0de59b5b24132f9e3ed89bc13d4
                                                        • Instruction Fuzzy Hash: E191E574E04209DFEB44DFA9D4806ADBBF6EF89314F20856AD819EB385E7359902CF40
                                                        Function 06A04894 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: dd1086aa36531f23efb083fa3ae6f21fbd2ad0737ca5373dbaf387740cdb0f96
                                                        • Instruction ID: e0394a4e933cc8e73ef589c681f0d266de50847e24383d63b010705539672620
                                                        • Opcode Fuzzy Hash: dd1086aa36531f23efb083fa3ae6f21fbd2ad0737ca5373dbaf387740cdb0f96
                                                        • Instruction Fuzzy Hash: 9A51E030F002058FDB15EB79E84896FBBF6EFC5320715896AE429DB391DB309C068B90
                                                        Function 06A04428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8q
                                                        • API String ID: 0-4083045702
                                                        • Opcode ID: 538818580da50b58da64c3d7a612b0664ee3057cc5617f1a3812afb709a9b5f9
                                                        • Instruction ID: bfca61f59414754614a80882ed5e2c351a3ef7a650126339cbb67b51e1648e76
                                                        • Opcode Fuzzy Hash: 538818580da50b58da64c3d7a612b0664ee3057cc5617f1a3812afb709a9b5f9
                                                        • Instruction Fuzzy Hash: FC41FC74E00108DFEB45DFA9E4546AEBBF1FB89304F108069E915A7394D731AD42CF50
                                                        Function 06A04417 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8q
                                                        • API String ID: 0-4083045702
                                                        • Opcode ID: d0c6851145205421e47f6d9d9cb4c197e78da2698ca1b5d8c4c1437e488b32cd
                                                        • Instruction ID: 4b1273762d322c6cc513f780c9d028b4fae1c33f1cdc0d37f9c53b1ac3d510ad
                                                        • Opcode Fuzzy Hash: d0c6851145205421e47f6d9d9cb4c197e78da2698ca1b5d8c4c1437e488b32cd
                                                        • Instruction Fuzzy Hash: 1A414E74E00208DFEB45EFA8E4546AEBBF2FB89304F108069E915AB391D731AD42CF50
                                                        Function 06A0AC7A Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: d5ebad273fe662f7a7115996947192adc67bd2d5890e30007a25847a628f3826
                                                        • Instruction ID: 7616fd252d53d1f5fb62a3fb57a2d4935cafb49fcaa9530545d22fd784f1a843
                                                        • Opcode Fuzzy Hash: d5ebad273fe662f7a7115996947192adc67bd2d5890e30007a25847a628f3826
                                                        • Instruction Fuzzy Hash: 49311874E043588FEB44DFA6D8446EEBBF6EF89300F14902AD519AB395DB745906CF80
                                                        Function 06A0ACF2 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: 37e06f3894d267b4f7165dc716e03b903fba059a3ce291cbcd42412b8356109d
                                                        • Instruction ID: 4757bd09e985f407a7f9928b98f3a5260be30b22c69ab8735a6cf7d8fc282038
                                                        • Opcode Fuzzy Hash: 37e06f3894d267b4f7165dc716e03b903fba059a3ce291cbcd42412b8356109d
                                                        • Instruction Fuzzy Hash: 4831B174E04219CFEB44DFE9E884AADBBB2FF88310F14812AE919AB261D7345941CB50
                                                        Function 06A0AC88 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: 06f6dfe7a3d5d138026822b40e9dd96cea6e51b6769724b6de25f304edd98673
                                                        • Instruction ID: d2af46efe663643bce4766b825a193d0f22bd78f1f055f27664cca128a01b467
                                                        • Opcode Fuzzy Hash: 06f6dfe7a3d5d138026822b40e9dd96cea6e51b6769724b6de25f304edd98673
                                                        • Instruction Fuzzy Hash: 2D31F6B4E043588FEB44DFA6D8447AEBBF6EF89300F109029D919AB395DB745846CF80
                                                        Function 06A05608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: 417d6bcf81c79be91ddc95ff1554a02495d7a2cd6fb7d515ee5eaea8350401ae
                                                        • Instruction ID: 50ebd0c84fb1e0c4a59154666f33e26fd42f94baefd982b35e238734533209b0
                                                        • Opcode Fuzzy Hash: 417d6bcf81c79be91ddc95ff1554a02495d7a2cd6fb7d515ee5eaea8350401ae
                                                        • Instruction Fuzzy Hash: 74111271F002198BEB54FBB9A9116EE76F6AB88311F144079C514EB384EF318D01CBD5
                                                        Function 06A0AD8F Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: b8f91d5d96aa545cfe02ae0b8ed43977789d45490dffb71fd03d01a70bf30da5
                                                        • Instruction ID: 8b26afbe4a0beb9a858c540e4f69d359a3dedcb2759a873301490a7e0bd08aea
                                                        • Opcode Fuzzy Hash: b8f91d5d96aa545cfe02ae0b8ed43977789d45490dffb71fd03d01a70bf30da5
                                                        • Instruction Fuzzy Hash: BD11AF75E04209CFDB08DFE9D8849ADFBB2FB88300F10812AEA19AB365C7355955CF50
                                                        Function 06A0AD0A Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Teq
                                                        • API String ID: 0-1098410595
                                                        • Opcode ID: 7e698a329c6ceaa2a0e1c2043701d054f5ac5a9416d8fe2260719f896a8cbec6
                                                        • Instruction ID: 511c3c8e736019556e761d912a870c739e849b595e7b2db80754497f62ed3598
                                                        • Opcode Fuzzy Hash: 7e698a329c6ceaa2a0e1c2043701d054f5ac5a9416d8fe2260719f896a8cbec6
                                                        • Instruction Fuzzy Hash: 96119F75E00209DFDB08DFE8D8849ADFBB2FB88314F10812AEA19AB365C7315955CF50
                                                        Function 06A07EF9 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ;
                                                        • API String ID: 0-1661535913
                                                        • Opcode ID: 57ef3a7548e544d0360425ddd89dd53aa10520db8311ebfcc3a80ba87afbd1e3
                                                        • Instruction ID: b86f174e90250219ad4fe41100820372e7fa9be4f05c4a75bb2ad9ebbaa1ea83
                                                        • Opcode Fuzzy Hash: 57ef3a7548e544d0360425ddd89dd53aa10520db8311ebfcc3a80ba87afbd1e3
                                                        • Instruction Fuzzy Hash: 48018B70E05209AFEB51EFA4E8446AEBBB8EF06340F1045A6D805DB3C0E7349E15CBD1
                                                        Function 06A07450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: m
                                                        • API String ID: 0-3775001192
                                                        • Opcode ID: 2412db93423390a7665e508a10ca019ae0679f46b94bffcabc590c0acaf3bd09
                                                        • Instruction ID: 30f328000c5530bd84972e2b54ee0c2f07e2a4382e1cd954290240b88ab1eb42
                                                        • Opcode Fuzzy Hash: 2412db93423390a7665e508a10ca019ae0679f46b94bffcabc590c0acaf3bd09
                                                        • Instruction Fuzzy Hash: EAE08C30E04208BBEB44FBA4A44466D7AB89B01301F400194C40557280D632AE54CAA1
                                                        Function 06A03348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 6
                                                        • API String ID: 0-498629140
                                                        • Opcode ID: 8caa698e96184d9ed69a8ca08a28e5c277d474181e269d1ca7d2b85bcae9c70a
                                                        • Instruction ID: 77f33817adfb4475ff301b31f325d089318ffd9819a24820f450b5be9135d707
                                                        • Opcode Fuzzy Hash: 8caa698e96184d9ed69a8ca08a28e5c277d474181e269d1ca7d2b85bcae9c70a
                                                        • Instruction Fuzzy Hash: D9E08C70D0420CEBEF24EFA4E48826DBBB8E70A301F504195C80693280EB314E54D682
                                                        Function 06A04038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 7
                                                        • API String ID: 0-1790921346
                                                        • Opcode ID: a33438b1c1638e600fd34e242cb68878218ecf5491741b53603ef997c0e1e092
                                                        • Instruction ID: b2175d512e871e321e1c357e35a89079c4ff406c988b8dd1402f6044d2897d37
                                                        • Opcode Fuzzy Hash: a33438b1c1638e600fd34e242cb68878218ecf5491741b53603ef997c0e1e092
                                                        • Instruction Fuzzy Hash: 8BE08C70D0920CEBFB50FFA4B80466D76F8E749300F4001A4C50667680D6390E44C681
                                                        Function 06A0AEB0 Relevance: .3, Instructions: 262COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 672179b22ae45f7f4ca20ec42b2917063faa4cf1e89f6dd95c1fcd3147711249
                                                        • Instruction ID: 30403f0cfddb9238bdd7d794a39cf280db7492f40f33bc103f358fec43e786de
                                                        • Opcode Fuzzy Hash: 672179b22ae45f7f4ca20ec42b2917063faa4cf1e89f6dd95c1fcd3147711249
                                                        • Instruction Fuzzy Hash: 8AA14D74E11219CFEB50EFA5E540AEDBBB6FF88300F109615E519AB345DB30AD46CB90
                                                        Function 06A0AEAE Relevance: .2, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b67002b2833f20fd5c30f903636a05e3fe2607c9f223291abe7da46fa0947d18
                                                        • Instruction ID: 7ce2e7cf98f6aebcc0a3c398bf08e002c6c9ef0627abecad3a4a9c4df5ee0a30
                                                        • Opcode Fuzzy Hash: b67002b2833f20fd5c30f903636a05e3fe2607c9f223291abe7da46fa0947d18
                                                        • Instruction Fuzzy Hash: 60915D74E11219CFEB54EFA5E540AADBBB6FF88300F109615E119AB385DB30AD46CB90
                                                        Function 06A06D37 Relevance: .2, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9f256842b3797e2e7a53d2cbf3691b158d3a4140b5faa38c08f5960fe5f0ac9a
                                                        • Instruction ID: af1dc1c1e9d36fe0a0f9c0e6a73edadea0fa30d890b0273f7d3f57dd044c3a0c
                                                        • Opcode Fuzzy Hash: 9f256842b3797e2e7a53d2cbf3691b158d3a4140b5faa38c08f5960fe5f0ac9a
                                                        • Instruction Fuzzy Hash: 0C81A274E042198FEF51DFA8D880AAEBBF5EF49304F1094A9E819EB351D7319A56CF40
                                                        Function 06A06FA0 Relevance: .2, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4494a4e7c0f86d845a664f874a4f15ac25bdc502444129cef19bb47bce335ab
                                                        • Instruction ID: 293bd4b89ac97af8134592f63ed890ddea56fb3832be928dd4fc9e506b6a2e9e
                                                        • Opcode Fuzzy Hash: e4494a4e7c0f86d845a664f874a4f15ac25bdc502444129cef19bb47bce335ab
                                                        • Instruction Fuzzy Hash: 6251D171E093889FDB12DFB4D8549DEBFF4EF46210F1584AAE404DB292D7359906CBA0
                                                        Function 06A0B448 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 58c369f8c72679de270b13957f33849e28c6a1ea5f02cff0ed906b4a2219739b
                                                        • Instruction ID: 6ef1c82b78e74244c8f28d64dcdae4eba0dae30f5bc02c2e60f39d69f778664f
                                                        • Opcode Fuzzy Hash: 58c369f8c72679de270b13957f33849e28c6a1ea5f02cff0ed906b4a2219739b
                                                        • Instruction Fuzzy Hash: 0D411874D04208DFEB44DFAAE6406AEFBF6EB8D300F14D069D41AA7291D7355A41CFA4
                                                        Function 06A08560 Relevance: .1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83e77ef0aca5be168337ea46680067fc91a1854d83f15d3333d5d31c3bbcf933
                                                        • Instruction ID: b282f263de829f7f513c45eb07b3fdb4f2d0adff771cc7140b36c84d8bafd826
                                                        • Opcode Fuzzy Hash: 83e77ef0aca5be168337ea46680067fc91a1854d83f15d3333d5d31c3bbcf933
                                                        • Instruction Fuzzy Hash: 4841F8B4E10208DFEB44EFA9D480AAEBBF5EB89310F158469D815EB390D735AD02CF54
                                                        Function 06A0854F Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a8f8006de001e2fc6b50b28177d1d4ec5aa01bc6bda8e5120009182a2d2e7a5
                                                        • Instruction ID: c77577a2587677775ed34c3e5cbdc3f07663130f786b93b9c607dd56166a914e
                                                        • Opcode Fuzzy Hash: 0a8f8006de001e2fc6b50b28177d1d4ec5aa01bc6bda8e5120009182a2d2e7a5
                                                        • Instruction Fuzzy Hash: BC413874E10208DFEB45EFA8D89069EBBF1EB89310F158469D815EB390DB35DD02CB54
                                                        Function 06A0B446 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 85a9311573675f2fa88148da08b077ea02e70b8dd390b7eb80b2e333fd7761c8
                                                        • Instruction ID: 216850234fe2f3f53bf690b3699c6f5f3125082ac25d1d5a17ae2fa3eeed290b
                                                        • Opcode Fuzzy Hash: 85a9311573675f2fa88148da08b077ea02e70b8dd390b7eb80b2e333fd7761c8
                                                        • Instruction Fuzzy Hash: 6A4138B4D04208DFEB44DFAAE6406EEBBF6EB8D300F14D06AD41AA7290D7355A41CF64
                                                        Function 06A02FB0 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 23e7c5890054f15e6db387a82b6f1bb4b4dcc06a23144d694265237f79f6f26f
                                                        • Instruction ID: fb2602f5348df53079729c3ccdb70d163c4b6135fd2f52a31f945de7440ad55e
                                                        • Opcode Fuzzy Hash: 23e7c5890054f15e6db387a82b6f1bb4b4dcc06a23144d694265237f79f6f26f
                                                        • Instruction Fuzzy Hash: 5341F2B4E1120A9FEF44EFB9E8585AEBBF1EF49300F148425D815E7290EB34D911CBA0
                                                        Function 06A05AB0 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b2e0651c21720cfd21c02390f1c1552fee847b5ad32969deb765838419c5aca1
                                                        • Instruction ID: 9973e3261624ff9d718b19a2501b3c4dcb6b4a3a053bdb629bd29381bc16a56a
                                                        • Opcode Fuzzy Hash: b2e0651c21720cfd21c02390f1c1552fee847b5ad32969deb765838419c5aca1
                                                        • Instruction Fuzzy Hash: 7A2137B5E003550FEB12EB3999806EF7FB6EFC5260B15452AD458CF242EA30890A87A1
                                                        Function 009ED3D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291538571.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9ed000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ee4426b201cca2e2621e6fa3e79c6f151ae937c8b55962fcede04957a88a04e
                                                        • Instruction ID: 3c0dd4edebd1420349bdef33789613bf1367be0eacb11c225a952ed3fda48527
                                                        • Opcode Fuzzy Hash: 9ee4426b201cca2e2621e6fa3e79c6f151ae937c8b55962fcede04957a88a04e
                                                        • Instruction Fuzzy Hash: F2214871504284DFDB16DF00D9C0B16BB65FBA8324F20C569E8090F2E6D33AEC46CBA2
                                                        Function 06A04ED8 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf057f30a6b2b3bca2e278f06910da405a3de802013545500aa745d64b93761f
                                                        • Instruction ID: 9d0cd6fe9331e97941e372192f98dbd249de9d4f82c1a59693515fab95a91224
                                                        • Opcode Fuzzy Hash: cf057f30a6b2b3bca2e278f06910da405a3de802013545500aa745d64b93761f
                                                        • Instruction Fuzzy Hash: 4C313BB4E1021ADFEB40DFA9D5846AEBBF4FB48700F14846AE915E7340E7349A41CF60
                                                        Function 009FD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291617214.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9fd000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 076ebc85f4e2adbe7a16029cbd2eab9b430341c8e1e62c19e117a92ce8675320
                                                        • Instruction ID: 8c74b461aa5355c217eaf91fb52b36a63faf6a300ff89eb5fc908605f56d8080
                                                        • Opcode Fuzzy Hash: 076ebc85f4e2adbe7a16029cbd2eab9b430341c8e1e62c19e117a92ce8675320
                                                        • Instruction Fuzzy Hash: 8C212571604308DFDB14DF10D9C4B26BB66EB84314F28C96DDA094B386CB3AD807CB62
                                                        Function 009FD1D4 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291617214.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9fd000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 075bb911ff61c43627ea6f87dbfb13358d3d77c289943132dd1565ea24d0d995
                                                        • Instruction ID: 9bf72f44ff68eabd5c7ad5f0fe2ee97a3148bcd8afe4146286736cf22b5434b4
                                                        • Opcode Fuzzy Hash: 075bb911ff61c43627ea6f87dbfb13358d3d77c289943132dd1565ea24d0d995
                                                        • Instruction Fuzzy Hash: FA213771604308DFDB05DF10D9C0B26BB66FB84314F20C96DDA094B282C33AD806CBA1
                                                        Function 06A05C94 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08f4464d16df5c4cebd1260e0331baeb91b58de5ea55cf3d4a20743fd02bd2ad
                                                        • Instruction ID: 672b2a86a03458a10f5988f00cec6c6e9f89e40caa6c9490ae141d57a1da0f6a
                                                        • Opcode Fuzzy Hash: 08f4464d16df5c4cebd1260e0331baeb91b58de5ea55cf3d4a20743fd02bd2ad
                                                        • Instruction Fuzzy Hash: DF31E5B0D013589FEB60DF99D989BDEBFF5EB08314F14841AE404AB280C7B55845CF91
                                                        Function 06A04EC9 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 637ef04a4e859dad8e2768bad0d79275982dc2856fa8c85797c11e3660a29019
                                                        • Instruction ID: 2e132031107c1f9c4d753d9e92b76b9e37502a8c7410673f7f73db7622b61368
                                                        • Opcode Fuzzy Hash: 637ef04a4e859dad8e2768bad0d79275982dc2856fa8c85797c11e3660a29019
                                                        • Instruction Fuzzy Hash: 43216FB4E1121ADFDB51DFA9D9856AEBBF4FB08700F10846AD914E7280E7349A41CFA1
                                                        Function 06A0B5E8 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e2d4f5cf91af560372aac20c631a7b4ecc8f4ab8d92cbbc32b02a4fcf7e3de3
                                                        • Instruction ID: c04e69061b4d8610ea8a9c068cea09b4cd48589a330606effb0668822d0e9004
                                                        • Opcode Fuzzy Hash: 3e2d4f5cf91af560372aac20c631a7b4ecc8f4ab8d92cbbc32b02a4fcf7e3de3
                                                        • Instruction Fuzzy Hash: 70212CB4D09209DFDB80DFA9D6809EEBBF5EB49300F1091A5D409A7751D7319E41CFA1
                                                        Function 06A05748 Relevance: .1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9217ad661838f6ca01cad49114ab6fbb8583f3395a54196664ea3979ab2ad71
                                                        • Instruction ID: 3f9624a0e269c8691ca5913630486be0288476a201947c0144f7a34a7a39ffe7
                                                        • Opcode Fuzzy Hash: b9217ad661838f6ca01cad49114ab6fbb8583f3395a54196664ea3979ab2ad71
                                                        • Instruction Fuzzy Hash: 1631C3B0D013189FEB60DF9AD588B9EBFF5AB08314F24842AE404BB290C7B56845CF95
                                                        Function 009FD006 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291617214.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9fd000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e64be469edc03c419d7aa3b4f58845dabfde481b33c8f9a36989d24d9b56e408
                                                        • Instruction ID: 65806bb21e257e9e91e86574d6a1da1f4b7d8338da8b0f55475a96fb3089dc3a
                                                        • Opcode Fuzzy Hash: e64be469edc03c419d7aa3b4f58845dabfde481b33c8f9a36989d24d9b56e408
                                                        • Instruction Fuzzy Hash: 63219F755093C48FCB06CF24D990715BF72EB46314F28C5EAD9498F2A7C33A980ACB62
                                                        Function 06A0FA70 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4782b2a484a183d9d535236b7af751b84ce13886c95e9af84b7e94da23f370da
                                                        • Instruction ID: 7647f3d1e5200304d2cf788bd0bf8c5e455d8d2442cd9852d663ccebaaedffe1
                                                        • Opcode Fuzzy Hash: 4782b2a484a183d9d535236b7af751b84ce13886c95e9af84b7e94da23f370da
                                                        • Instruction Fuzzy Hash: C4115130F002049FFB68AB79A81477F76A6EBC4750F24852DAC06AB381EA70DD01C7D0
                                                        Function 06A0B5F8 Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e7265fe1f8d355f4cf75bcbaa014199539dba18218a96632e7702e2a962ee9c
                                                        • Instruction ID: eb06a3bdcb82a07ffe296d6625c3aeae47ce92a4fd7b24261d61e9c38c9f5865
                                                        • Opcode Fuzzy Hash: 3e7265fe1f8d355f4cf75bcbaa014199539dba18218a96632e7702e2a962ee9c
                                                        • Instruction Fuzzy Hash: FF21EAB4D04209DFEB80DFA9D2809AEBBF5EB49300F2091A5D809A7751D7719E40CFA1
                                                        Function 06A0B6A1 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 49df8b0bf5adbd0a08fe2304ba612ab85e7d2d4a6b065c422610c70e8d92d1bb
                                                        • Instruction ID: 6afe5a5c918be0363284a1ec53489c88cad067f78e4832dc18e35b350bcc8ee8
                                                        • Opcode Fuzzy Hash: 49df8b0bf5adbd0a08fe2304ba612ab85e7d2d4a6b065c422610c70e8d92d1bb
                                                        • Instruction Fuzzy Hash: 4E113A74D09208EFEB44EFA9E6909ADBBF9EB49310F049596D4589B352D3309A01CFA0
                                                        Function 06A0593C Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f62fb34a2f95db8dbf0542afdcf0b9d9c6ae05dfe707c3457e50271fb0c260dc
                                                        • Instruction ID: 3313b02d1762b11db4f3a8ef63e00d89250c618764138aca1fa9267b2dc52e1c
                                                        • Opcode Fuzzy Hash: f62fb34a2f95db8dbf0542afdcf0b9d9c6ae05dfe707c3457e50271fb0c260dc
                                                        • Instruction Fuzzy Hash: 8A2114B5C003499FDB20DF9AD844BDEBBF4FB48310F108429E918A7250C375A945CFA5
                                                        Function 009ED3D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291538571.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9ed000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                        • Instruction ID: d5ecf86e06f42882f90a8fc2da1c34d10ccf49fe296376cdd62652b1b335b293
                                                        • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                        • Instruction Fuzzy Hash: 6F112676504280DFCB06CF00D5C0B16BF72FBA4324F24C2A9D8090B2A6C33AE856CBA1
                                                        Function 009FD1CF Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291617214.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9fd000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                        • Instruction ID: 611a51f0f7c69a6127251343466808951aa272ae10467fe3120d27f948ab7f4f
                                                        • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                        • Instruction Fuzzy Hash: E311DD75504284DFDB06CF10C5C0B65FBB2FB84324F24C6AED9494B296C33AD81ACBA1
                                                        Function 06A07029 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7223d8597eb38532127647faeedff6a275829bc9c5f3e0992084387fda93ed14
                                                        • Instruction ID: 4b18c0cbbd88d74e93f5db378ef855560acce6031a07b2565b14780cd40c0319
                                                        • Opcode Fuzzy Hash: 7223d8597eb38532127647faeedff6a275829bc9c5f3e0992084387fda93ed14
                                                        • Instruction Fuzzy Hash: F901D471A0D2856FEB46EB64DC908DA7FB5CF0726070A80DBE044CF1A3D2359916C7A0
                                                        Function 06A0BCC8 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e70e8871cb9a7d9646081c1bb6218c57983508f12573621eff372f0745b58c82
                                                        • Instruction ID: ea4dbbfb789257bdeddd8fb307b03d69e1d9cdd5cb167e65e829d1c9b3de0b9b
                                                        • Opcode Fuzzy Hash: e70e8871cb9a7d9646081c1bb6218c57983508f12573621eff372f0745b58c82
                                                        • Instruction Fuzzy Hash: FA11E6B1D006189BEB18CFABD8447DEFAF7AFC9300F04C16AD40976294DB7509458FA0
                                                        Function 06A0C728 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5772d9e1ea434052d8220478cd9638d50cd002ec36e14770153e1211d79608ce
                                                        • Instruction ID: 802899ad9810365401dc2487851b169d2a8800e8124564daec86c9b7a96c92e6
                                                        • Opcode Fuzzy Hash: 5772d9e1ea434052d8220478cd9638d50cd002ec36e14770153e1211d79608ce
                                                        • Instruction Fuzzy Hash: 64111C70D042089FE748DF6AD4409EDBBFAAF89310F04C169E816A7351DB349845CF90
                                                        Function 06A0B6B0 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a84c045ae241d25caf9cd7e2d4cbe8757bffa347da9a29da0d3f715c30f91d42
                                                        • Instruction ID: e6ce89fc7939366564e5c3d2007c48d5050edebda3d74cfb00adebc85d20185c
                                                        • Opcode Fuzzy Hash: a84c045ae241d25caf9cd7e2d4cbe8757bffa347da9a29da0d3f715c30f91d42
                                                        • Instruction Fuzzy Hash: 4A110974D09208EFEB44EFA9E6809ADBBF9FF48310F109595D419AB351E331AA41CF90
                                                        Function 009ED759 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291538571.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9ed000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3efa4e4e319f679ab4a5891824b72bdbec48a360b918370de8c9dba2afb59871
                                                        • Instruction ID: 1616f1adbbed73ad055b4d35fceed70e699117795db0e820da84f17d8ebbe83d
                                                        • Opcode Fuzzy Hash: 3efa4e4e319f679ab4a5891824b72bdbec48a360b918370de8c9dba2afb59871
                                                        • Instruction Fuzzy Hash: 5E01F7B11063809AE7214B12DC84B26BFDCDF45321F18C91AED080E282C37A9C40CAB1
                                                        Function 06A06055 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5551a523f70cf22fef047c15896fff6b3323fa26e193ff5cb47f591c250937c
                                                        • Instruction ID: d2c8b34d8a4416e959ba890faf10c17fbc4d8adbb9a10e6cd7ac286e34772dc7
                                                        • Opcode Fuzzy Hash: c5551a523f70cf22fef047c15896fff6b3323fa26e193ff5cb47f591c250937c
                                                        • Instruction Fuzzy Hash: 55012570844229EFEB11DF6AD8086EEBBB5FF44764F14C628E468AB2D0D7704A45CBD0
                                                        Function 06A0CBA8 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ce19ea5c70d1f9f1742bc3efe69f81d55146d142a9e4ec3697e645c4d9613f2
                                                        • Instruction ID: 13604815c9737c802794eeaf4959d4a44e3c4ccd854a2df35fb5ed0d816a1599
                                                        • Opcode Fuzzy Hash: 3ce19ea5c70d1f9f1742bc3efe69f81d55146d142a9e4ec3697e645c4d9613f2
                                                        • Instruction Fuzzy Hash: 58011275E04108EFE744EFA5D594AADBBF5EF49310F15D19495099B392DA30DE00DF40
                                                        Function 06A08430 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 55dabc44b279df33435f1dce3ad6fe81d07eac332b9da5f3d147d25cc2a2b7b5
                                                        • Instruction ID: 85b4a5cdc038e9af17804d2f3a1b677668debce5118b8c77f1aaf868b2f090ad
                                                        • Opcode Fuzzy Hash: 55dabc44b279df33435f1dce3ad6fe81d07eac332b9da5f3d147d25cc2a2b7b5
                                                        • Instruction Fuzzy Hash: B0014474E05209AFDB41DFA8D54069EBBF5EF45304F1085AA8818E7381E7359F05CB51
                                                        Function 06A08440 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac8f5093b71057e48e43ff6145c9f13ed9728580a820e1f3de221098f2a3f647
                                                        • Instruction ID: 799a1cf8df33d10bf0ac40d09fbcfafb4f2414977b4f27b8b75ab8d4ddc0303c
                                                        • Opcode Fuzzy Hash: ac8f5093b71057e48e43ff6145c9f13ed9728580a820e1f3de221098f2a3f647
                                                        • Instruction Fuzzy Hash: EE01ECB4E04209EFDB40EFA9D5406AEBBF9EB48300F1085A98818E7380E7359E01CF51
                                                        Function 06A060F0 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8ba1402c77a25a7b265de04795e3e98ed1c24c286eea8e4aaec111635ab9b495
                                                        • Instruction ID: 955d0165668dfc93d5426f619b19c6427004d02f757d84af7317489e814b51c1
                                                        • Opcode Fuzzy Hash: 8ba1402c77a25a7b265de04795e3e98ed1c24c286eea8e4aaec111635ab9b495
                                                        • Instruction Fuzzy Hash: 18F090717092A52F9315C76A9C98D6BBFE9EBCA26031581BAF448CB352CA308C05C7A0
                                                        Function 06A07F41 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac355119392f7b35e45cb5861614a5d263d4ed96370270193f91ad9e1f3eafe4
                                                        • Instruction ID: 16dbaf5ec38d921b19bc720f5d0687bcf3cb76ff202089b06700e8188e06812a
                                                        • Opcode Fuzzy Hash: ac355119392f7b35e45cb5861614a5d263d4ed96370270193f91ad9e1f3eafe4
                                                        • Instruction Fuzzy Hash: C7F03CB4E09319AFDB41DFA999455AEBFF8EF05340F1085A6D819E7381E7708A01CB91
                                                        Function 06A06C18 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37b280cc08f8464772aa4764e7f322fbf2133befcde884ec638a950b1e9e1694
                                                        • Instruction ID: 87fd62e4dbbd80639553ff803f969780e32ff830df034732f97ec8e456e465b9
                                                        • Opcode Fuzzy Hash: 37b280cc08f8464772aa4764e7f322fbf2133befcde884ec638a950b1e9e1694
                                                        • Instruction Fuzzy Hash: 18014FB4D0524AAFDB51DFB8D9056AEBBF4EF45300F0481AAD805E7382E7349E14CB91
                                                        Function 06A0CB30 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22b918ed1f5699ffaa86b1baf236e65c4982807951eed15139adcd84f27a03f9
                                                        • Instruction ID: d43b87b7b5c3748b80c39f3cff696e293eff2072158c33c80ca1b976171eb522
                                                        • Opcode Fuzzy Hash: 22b918ed1f5699ffaa86b1baf236e65c4982807951eed15139adcd84f27a03f9
                                                        • Instruction Fuzzy Hash: ABF03170D0C148DFF744EF6AE4409B8BBB8EB5B311F109295940A5B192D7349E44DB80
                                                        Function 06A05898 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 84f5ae7abd24d3a2b67be4279306b47be9ed6ccaa85e6cfc8a3ebc84c18514eb
                                                        • Instruction ID: 5b43e4241c12a08767fd32782fa357a5af57cca2b053f29e896adb221ec0a397
                                                        • Opcode Fuzzy Hash: 84f5ae7abd24d3a2b67be4279306b47be9ed6ccaa85e6cfc8a3ebc84c18514eb
                                                        • Instruction Fuzzy Hash: 21F0F866C2A3A11FF7237B78A8B12C93F609E92A26B094093C1944E053D814449FC3EF
                                                        Function 06A083C8 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f936f8aa45c14fabc1794cd907c027d974c30f0f10728432c5cc40a3e2d70fdb
                                                        • Instruction ID: b3f0b943c81c95f969317892be59921ee7d7069a09ac052502aa12a932fed296
                                                        • Opcode Fuzzy Hash: f936f8aa45c14fabc1794cd907c027d974c30f0f10728432c5cc40a3e2d70fdb
                                                        • Instruction Fuzzy Hash: F3F09070D05318AFDF41EFB998042AEBFB4EB09300F0085A6D418E7281D3344A15CB80
                                                        Function 06A06C28 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e265b86d9a898d12d67d42a03983bf63f18f1cf53f241850773080940540bfca
                                                        • Instruction ID: 8e668964511436178cc724d370890568a86e5cd5e2aed80773d9bb24e984f6ab
                                                        • Opcode Fuzzy Hash: e265b86d9a898d12d67d42a03983bf63f18f1cf53f241850773080940540bfca
                                                        • Instruction Fuzzy Hash: 120119B4E0420DDFEB94DFB8E5452AEBBF4FB08300F1490A98809E3380EB309A10CB51
                                                        Function 009ED758 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291538571.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_9ed000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a8f364175a09d834860be5ba9d94b2106c6966c461c4b04dacca83eae5ad0f5
                                                        • Instruction ID: 95d2fccf4dff556edc92dbdda80c71b50cba20c1dcdd743d3afda69336545374
                                                        • Opcode Fuzzy Hash: 0a8f364175a09d834860be5ba9d94b2106c6966c461c4b04dacca83eae5ad0f5
                                                        • Instruction Fuzzy Hash: 86F0C2710053809EE7208B06DC84B62FFACEF54734F18C55AED080A286C37AAC40CAB1
                                                        Function 06A032D0 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2afbf4d62d16213014b3438e5f87441580e4da3aeddcf7d63df58f8e1443d1a5
                                                        • Instruction ID: c4b008cb6e917f7b58d584115b71d090ae359ec82b3f632329930ad534fe2a62
                                                        • Opcode Fuzzy Hash: 2afbf4d62d16213014b3438e5f87441580e4da3aeddcf7d63df58f8e1443d1a5
                                                        • Instruction Fuzzy Hash: 97F0EC74E04209AFEB41EFA8D45566EF7F4EB49304F108599C815E7380E7759A05CF81
                                                        Function 06A06060 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f65d8264369ddf2e9a3bcf7beb032aa347bc34fc2dcbc2e4084fd52580d4830d
                                                        • Instruction ID: 92bb456cc223935a9e0bb75ddb4bfa23aefeecca068c90c93a207def979507b7
                                                        • Opcode Fuzzy Hash: f65d8264369ddf2e9a3bcf7beb032aa347bc34fc2dcbc2e4084fd52580d4830d
                                                        • Instruction Fuzzy Hash: 5E011670C44219DFEB50DF6AD4043AEBAF1BF08364F14C625E424AA2D0D3744A54CBD0
                                                        Function 06A043B0 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01a73debf97ddb6a1779589058ea4080ccba9b6b6835c58557ae4c36be9de305
                                                        • Instruction ID: c9d6ac32ffba272ffcd87d2e29e5a90a82d8d992f43ce65013fd2b934ba287f7
                                                        • Opcode Fuzzy Hash: 01a73debf97ddb6a1779589058ea4080ccba9b6b6835c58557ae4c36be9de305
                                                        • Instruction Fuzzy Hash: 49F0F9B4E05209EFDB44DFA9E5412AEFBF4FB48300F1185BAC819A3240E7348A16CB91
                                                        Function 06A043C0 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8e35311cdc5bf7e45711f48bf6b2354ae140d0939f928a86549e2ef07fa96f4
                                                        • Instruction ID: 2d1531e6cdd801f844b5c221ee3d70d45047f091fabfdfadbc0c91154dd603b9
                                                        • Opcode Fuzzy Hash: a8e35311cdc5bf7e45711f48bf6b2354ae140d0939f928a86549e2ef07fa96f4
                                                        • Instruction Fuzzy Hash: 59F0A9B4D05209EFDB44DFA9E5416AEBBF8FB48300F1095A9D919E3340E7309A15CF91
                                                        Function 06A07F50 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f408d69bb9baa7dc67598b6545d97dab8522557eb329ab136cb02ea9c2be686a
                                                        • Instruction ID: b99dc6ab7aa3b112b86863532df8724c0c6eb74c3a162804b802dc4c9b0ec94f
                                                        • Opcode Fuzzy Hash: f408d69bb9baa7dc67598b6545d97dab8522557eb329ab136cb02ea9c2be686a
                                                        • Instruction Fuzzy Hash: 8CF097B4E042099FDB44EFA9E5446AEBBF9BF48300F1085A9D819E3340E7309A00CB91
                                                        Function 06A0592C Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6eb35ece4046cd8e554ef8e2bc7e4dcd4d4c0bc6c96a6afd0392c57e9f133e6d
                                                        • Instruction ID: 687e968db197138c8bc1425c57ca62fa3062bd60371c517513efaa0e1160e311
                                                        • Opcode Fuzzy Hash: 6eb35ece4046cd8e554ef8e2bc7e4dcd4d4c0bc6c96a6afd0392c57e9f133e6d
                                                        • Instruction Fuzzy Hash: 33F08271A04108BFBF48EF58ED4099E7FA9EF44360B05C16AE404EB250D631ED148B94
                                                        Function 06A0B790 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: acd72da3e18757c3bdc5b88b295f9c68a1b1542fd767032a53b5da087520f136
                                                        • Instruction ID: 3790893839f2d664f1a6a28b9d763b14f6f57044001dbc8439569236637fea62
                                                        • Opcode Fuzzy Hash: acd72da3e18757c3bdc5b88b295f9c68a1b1542fd767032a53b5da087520f136
                                                        • Instruction Fuzzy Hash: B6F037B0E0021AAFEB84DFA9D941AAEBFF4FB08300F008569E414E7280D7718544CFE0
                                                        Function 06A06100 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80b997963ee5c8ca3bd3a0b485fc579f52804da2bd59ea86909e4c31530eeebb
                                                        • Instruction ID: 056c04484e43606c46e40c1d668dc40fe6b9a6d37b55d0a52d2b715c3071d5b6
                                                        • Opcode Fuzzy Hash: 80b997963ee5c8ca3bd3a0b485fc579f52804da2bd59ea86909e4c31530eeebb
                                                        • Instruction Fuzzy Hash: B0E039767002286F93149AAAD884D6BBBEEEBCC664355807AF508C7310D9319C0186A0
                                                        Function 06A083D8 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82804b23037c67fc46a6a6308b7a30aead6fb18616d5b960a655c8fe751dd846
                                                        • Instruction ID: b9b28b841da6a31b1bbeb1a390e95e3ed42e1c20ba2d8ad68996d324f63ee9a0
                                                        • Opcode Fuzzy Hash: 82804b23037c67fc46a6a6308b7a30aead6fb18616d5b960a655c8fe751dd846
                                                        • Instruction Fuzzy Hash: E1F0B7B4D14208EFEF40EFA9E5456ADBBF8EB49300F4099AAD419E3340E7745A54CB84
                                                        Function 06A03D30 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 958126d63f68ad2bf9700a35c17a77d56a9218d27053db940974e4f4384483ca
                                                        • Instruction ID: 480daa935abe6e62f69f61f73d6455a2f510f476f09b26e236c4936d8ff8bd01
                                                        • Opcode Fuzzy Hash: 958126d63f68ad2bf9700a35c17a77d56a9218d27053db940974e4f4384483ca
                                                        • Instruction Fuzzy Hash: 74F0B7B4D04209AFDF80EFB9E5456ADBBF8EB09300F1099AAC819E3350E7745A40CB40
                                                        Function 06A03D21 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cd390a60e8065cdbb85388201935b8ac4b4230d1cd69bf173ced77ae5bc21b6d
                                                        • Instruction ID: b4d05bc32eee4026ce01034f29c2eef135fdd24a27ed4ff1aec88b9faad98737
                                                        • Opcode Fuzzy Hash: cd390a60e8065cdbb85388201935b8ac4b4230d1cd69bf173ced77ae5bc21b6d
                                                        • Instruction Fuzzy Hash: 94F03AB4D04209EFEB40EFB8D5852EEBBF5EF45300F008AAAC819E3251E7705A15CB40
                                                        Function 06A0B7A0 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5568945a365b13aa53ed38fa61b7caf582d25481d5aa274f7f8977c68016af6f
                                                        • Instruction ID: 779c8034aa1068e92cbc325bd754a1783bb584c868b41062ff671aed1ff29929
                                                        • Opcode Fuzzy Hash: 5568945a365b13aa53ed38fa61b7caf582d25481d5aa274f7f8977c68016af6f
                                                        • Instruction Fuzzy Hash: 9AF030B0D0420A9FDB84DFA9D901A6EBBF4FB48300F004569D514E7350D77189048FE0
                                                        Function 06A0B738 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb9f6e13e3be686adbc5e02b03a2e3aa89b276e69ecb8b96aae6c735efe03359
                                                        • Instruction ID: 893db670417d0f3b4cab0fe170ac0377075a8e9e61cc65c9dcf21a41f97e02fc
                                                        • Opcode Fuzzy Hash: bb9f6e13e3be686adbc5e02b03a2e3aa89b276e69ecb8b96aae6c735efe03359
                                                        • Instruction Fuzzy Hash: B9F01C70A81126AFD790DF7AC949A8F7FF4EB04600F108469E019D7252D77181018FE1
                                                        Function 06A08508 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05c2c73b11996fdcc9ef1eb74d07746a7e8c5bc075cf60f36d2c0c7bdbd2138f
                                                        • Instruction ID: 2712c8c01425cb31f21ea3168d7627eb3b69d89222b03f559796622174cce845
                                                        • Opcode Fuzzy Hash: 05c2c73b11996fdcc9ef1eb74d07746a7e8c5bc075cf60f36d2c0c7bdbd2138f
                                                        • Instruction Fuzzy Hash: 4EF0C9B4D54208EFDB90EFB8E4446AEBBF4EB0A300F1095A9C409E3280E7385A50CB45
                                                        Function 06A0E558 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 781332c1ef715556e16fef6f9cd5a2b6710ca49819f74f0073b32c7f950deb8d
                                                        • Instruction ID: 594bbc60b1d8b37b3a5466526da33de438f5ee9f0cbc1cdc2125aa7169bcd287
                                                        • Opcode Fuzzy Hash: 781332c1ef715556e16fef6f9cd5a2b6710ca49819f74f0073b32c7f950deb8d
                                                        • Instruction Fuzzy Hash: A9F0E574E083489FF7A0FB66F404BAD7AFEBB89301F50C8208516572D5DE701805DBA2
                                                        Function 06A0B82F Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c779289d27fff1f46e5bc16661214698c9e5de5dea5ebe8d9676d267aa892ff
                                                        • Instruction ID: fb8e0dd10057ab4ec1c3579df600309305048cc8bab91d7b33a1ddb144b905bb
                                                        • Opcode Fuzzy Hash: 2c779289d27fff1f46e5bc16661214698c9e5de5dea5ebe8d9676d267aa892ff
                                                        • Instruction Fuzzy Hash: D9E0DF326591190F9B82EBA4BD00C927F68DB1666030184A2E80CCF072E612C83AC3E1
                                                        Function 06A05FBD Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e25ce69fc3642d2787fc955ffa585a7ae8713828466489d3d02c491bae3aa4dc
                                                        • Instruction ID: 6bd29110911a50d17746dba8bf74403b60f7eb17aed2ad8fb26fccd3b48b0823
                                                        • Opcode Fuzzy Hash: e25ce69fc3642d2787fc955ffa585a7ae8713828466489d3d02c491bae3aa4dc
                                                        • Instruction Fuzzy Hash: 9FE0CD76D01135AB8711AFB5AC058DFFF38EF05650B014011F4155B200D3700722CBD1
                                                        Function 06A0FA10 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fac3fd8dafd5ed9579dd1bc71189608118a5f340bcb7c0d09f4e723f61ace86
                                                        • Instruction ID: 503ea0acba2cac1139415a4ba5bfc2d7245d7777ca3f4f6ccc6b1534720f29f2
                                                        • Opcode Fuzzy Hash: 7fac3fd8dafd5ed9579dd1bc71189608118a5f340bcb7c0d09f4e723f61ace86
                                                        • Instruction Fuzzy Hash: 93F03975D0020CFFDB41EFA9E44468CBBB5EB88301F10C0AAAD18A7390E6346E61DF41
                                                        Function 06A0A2A0 Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c61da586773fbbc689e306914fe69b4d4b297be066bfa62a2c0d7cb892a0a31a
                                                        • Instruction ID: 4393ecc31d146ec19498e7d0f1fa26665a05cb5ef62e9955a9bf54be4616a338
                                                        • Opcode Fuzzy Hash: c61da586773fbbc689e306914fe69b4d4b297be066bfa62a2c0d7cb892a0a31a
                                                        • Instruction Fuzzy Hash: EFD02E3010E3A06FD313276678082AA3F64EB03201B000281E68C8B0E3CA644D2BCBF2
                                                        Function 06A04E90 Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9fafa0cb26ca2eda50613326bb1507ce3b6fb3f82e0a41dbf55585e76bf275b1
                                                        • Instruction ID: 3a7c1096c7aeae5690d4a2994b720e4671e4462246b5d906a3ac688d11b8873c
                                                        • Opcode Fuzzy Hash: 9fafa0cb26ca2eda50613326bb1507ce3b6fb3f82e0a41dbf55585e76bf275b1
                                                        • Instruction Fuzzy Hash: CBE08C30D0020CEBEB80FBA4A8046AE76F8EB0A300F500598C505573C0D7711E58D6C1
                                                        Function 06A055D0 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c419ad107fb9032997f0053bf620bee459ee5e270f4882df563e8ec1343ab04
                                                        • Instruction ID: 925160d690d0699cf2fda3473a55efb49eaf083fa02d4ef8f41d005c7966499f
                                                        • Opcode Fuzzy Hash: 9c419ad107fb9032997f0053bf620bee459ee5e270f4882df563e8ec1343ab04
                                                        • Instruction Fuzzy Hash: 55D012710896A16EE35766105D2ECA73F68FA575907168883E8C9CF0B3CD14892BD7E2
                                                        Function 06A0B748 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 74a1a027f93f7afeb9cdc729ca55c34cf048364f77a19b71c3c33ac6dfd273ff
                                                        • Instruction ID: d227746782c41b36e799f47c1448f3d99b6b3b495d6f12e220a74340787b3685
                                                        • Opcode Fuzzy Hash: 74a1a027f93f7afeb9cdc729ca55c34cf048364f77a19b71c3c33ac6dfd273ff
                                                        • Instruction Fuzzy Hash: 85E0B6B0D40209EFE780EFB9DA45A5EBBF0BF08700F1185A9D019E7361E77596058F91
                                                        Function 06A05FC8 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                        • Instruction ID: fc30ac6c173ae90ec36587ee39c3faba4919df6e71f682090eca5ef24ff906de
                                                        • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                        • Instruction Fuzzy Hash: CAD09E72D001399B8B10AFE9DD054DFFF79EF05650B418126E915A7100D3755A21DBD1
                                                        Function 06A0AA81 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e6b970c445a1b40ce27c176255b0b4890a198d7318b5624ee2e316a9cba9e49c
                                                        • Instruction ID: a123b12f22ce89564124bd567187f8e97160575e9e3607340ab5b409a4a29ec6
                                                        • Opcode Fuzzy Hash: e6b970c445a1b40ce27c176255b0b4890a198d7318b5624ee2e316a9cba9e49c
                                                        • Instruction Fuzzy Hash: BDD09275A16219CFEB60EB54EC40BDCBBB5FB84215F0012A2D10DA7615D7312EA5CE41
                                                        Function 06A0C02A Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b7c6c2276a66e0d6129871dc0e6a45f6d76ee7d0e00608af3a736a590444342f
                                                        • Instruction ID: cba9d3552ea252d836c103a59c880980b2e56898f11ecc857245222cc2c6a888
                                                        • Opcode Fuzzy Hash: b7c6c2276a66e0d6129871dc0e6a45f6d76ee7d0e00608af3a736a590444342f
                                                        • Instruction Fuzzy Hash: 0FE06770904298CFE7549F65E544A58B7B5FF4A316F501499E40A6B291CB3A9D81CF10
                                                        Function 06A0A2B0 Relevance: .0, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 313f433eb38a2543b8ebc387d6b690e41b38e41f518d35564c3a7ded7f8ac1c2
                                                        • Instruction ID: e3ac0969a6eb5c82e8b26741d282405732c5aa40fe3c4160ba54eb86cacb6c26
                                                        • Opcode Fuzzy Hash: 313f433eb38a2543b8ebc387d6b690e41b38e41f518d35564c3a7ded7f8ac1c2
                                                        • Instruction Fuzzy Hash: E8C08C7140074897E30037AAB40C32873A8AB06302F801160EB09008A24AB41C24CEA6
                                                        Function 06A058E4 Relevance: .0, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab2bfe36502f9b3b42004879752224e16ef75c5066b0934a01d4f146647215f2
                                                        • Instruction ID: 3273aa03a361b21f32719da7c33191d082385ac71502df90ae852a84edf85414
                                                        • Opcode Fuzzy Hash: ab2bfe36502f9b3b42004879752224e16ef75c5066b0934a01d4f146647215f2
                                                        • Instruction Fuzzy Hash: FCB012B59A9300B7719477F05E40B2F5811EFB1750B048C023244560C0C871E83AD66B

                                                        Non-executed Functions

                                                        Function 06A0F5D8 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f47b5101079dfe5042404e5956ed929c374e9500102500c799b3f997a9357439
                                                        • Instruction ID: 848c986f1f1f1a0c19200b0234152ef4742b5449b9d3b50ba1d604571f4169b2
                                                        • Opcode Fuzzy Hash: f47b5101079dfe5042404e5956ed929c374e9500102500c799b3f997a9357439
                                                        • Instruction Fuzzy Hash: 66E1F974E002198FDB54DFA9D580AAEFBB2BF89304F248159D855AB356DB30AD41CFA0
                                                        Function 06A0F1A0 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8cb32263880eb1c2f3978047405d6b2cc0967ba1c2fe1359c5a306a69e7acc02
                                                        • Instruction ID: 2fe45191ac478f2d7c4308d63d0d0043459f9c393d13189f09726276f56a9bd1
                                                        • Opcode Fuzzy Hash: 8cb32263880eb1c2f3978047405d6b2cc0967ba1c2fe1359c5a306a69e7acc02
                                                        • Instruction Fuzzy Hash: 19E1F874E002198FDB54DFA9D580AAEFBB2BF89304F248169D855BB356C730AD41CF61
                                                        Function 06B40040 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 855b6b4d3886a6f4a26d9fc84f37cb0eff281a09ef90956dbcf2bcfea658b757
                                                        • Instruction ID: 9081c9217df687cfa5dad7fc064e81a2644a352cf92407c8ccc032eefe19745c
                                                        • Opcode Fuzzy Hash: 855b6b4d3886a6f4a26d9fc84f37cb0eff281a09ef90956dbcf2bcfea658b757
                                                        • Instruction Fuzzy Hash: 7AE10AB4E002198FDB54EFA9C580AAEBBF2FF89304F248159D555AB356DB30AD41CF60
                                                        Function 06B409F0 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f40e6f60952e7cb20c2e21e0fce50dc1a1a9e5d5ae93a0e68e6bb84a63a9322d
                                                        • Instruction ID: 6ea370b1552676af4ca2b98a66d0270f419afa17ea2eed654c4645e31176e44e
                                                        • Opcode Fuzzy Hash: f40e6f60952e7cb20c2e21e0fce50dc1a1a9e5d5ae93a0e68e6bb84a63a9322d
                                                        • Instruction Fuzzy Hash: 67E1F9B4E002198FDB54EFA9C580AAEBBF2FF49304F248169D555AB356D730AD41CF60
                                                        Function 06A06669 Relevance: .3, Instructions: 290COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf173504f81d3db82097126447f40b35ab3f95418821808c67995c1ce6080883
                                                        • Instruction ID: 3e31a7eb591cea83f5b8d294bc796cccdc4cb1d227717d56c639a26edbafd7cc
                                                        • Opcode Fuzzy Hash: cf173504f81d3db82097126447f40b35ab3f95418821808c67995c1ce6080883
                                                        • Instruction Fuzzy Hash: 77E13835D10B5A9ACB10EF64D8946A9F7B1FF95300F20C79AD0093B214EB70AAD9CF91
                                                        Function 06A06678 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95233af3f445061237da44219b9dfdb757ff9135e7dd110468f4f4388c788519
                                                        • Instruction ID: ea060d6a416c5a0a36002d4224506967183eea8d687028d4e8510dfbb910f4ef
                                                        • Opcode Fuzzy Hash: 95233af3f445061237da44219b9dfdb757ff9135e7dd110468f4f4388c788519
                                                        • Instruction Fuzzy Hash: F4D12735D10B5A9ACB10EF64D9946A9F7B1FF95300F20C79AD0093B214EB70AAD9CF91
                                                        Function 0227D57C Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1291933981.0000000002270000.00000040.00000800.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2270000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0fea1da0cd2a22a7baee936e2e728e166a9f7ca62c1cc6b31ffd20311b3076ba
                                                        • Instruction ID: ad8c6603baaf94cd863f608232cc790c816be6bc1fc37db2bf2c832d5d2098e1
                                                        • Opcode Fuzzy Hash: 0fea1da0cd2a22a7baee936e2e728e166a9f7ca62c1cc6b31ffd20311b3076ba
                                                        • Instruction Fuzzy Hash: 97A17C32E28206CFCF15DFB4CA4459EB7B2FF85304B15856AE801AB669DB71E916CF40
                                                        Function 06B40006 Relevance: .1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297291642.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6b40000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee8b6ee044b94a525fa839d50db9447169960d4e2aaf9ffc8703aa09a390e591
                                                        • Instruction ID: 10405701a14956bb1306a4c19dda6be458c6bb69e9d12cb2fe1e71ca003c21a9
                                                        • Opcode Fuzzy Hash: ee8b6ee044b94a525fa839d50db9447169960d4e2aaf9ffc8703aa09a390e591
                                                        • Instruction Fuzzy Hash: B4517EB4E042198FDB54DFA9C5805AEFBF2BF8A304F1481AAD458AB356C7309D42CF61
                                                        Function 06A034A8 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1297213461.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_6a00000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e24fc5b9b9aaa9f4bf54947500737bb618370f8c2e7d2865cf5334c974a18051
                                                        • Instruction ID: 65fc31178ab1f81e796648964900c4c2519f873bf335c23afdd228e8a1805d29
                                                        • Opcode Fuzzy Hash: e24fc5b9b9aaa9f4bf54947500737bb618370f8c2e7d2865cf5334c974a18051
                                                        • Instruction Fuzzy Hash: E341B971E016299BEB68DF6ADC4079AFBF3AFC9300F14C1A9D408AB254EB305985CF51

                                                        Execution Graph

                                                        Execution Coverage:12%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:17
                                                        Total number of Limit Nodes:4
                                                        execution_graph 24311 10b0848 24313 10b084e 24311->24313 24312 10b091b 24313->24312 24315 10b1382 24313->24315 24318 10b1396 24315->24318 24316 10b1480 24316->24313 24318->24316 24319 10b7e80 24318->24319 24320 10b7e8a 24319->24320 24321 10b7ea4 24320->24321 24324 697f6d0 24320->24324 24328 697f6e0 24320->24328 24321->24318 24326 697f6f5 24324->24326 24325 697f90a 24325->24321 24326->24325 24327 697fd29 GlobalMemoryStatusEx GlobalMemoryStatusEx 24326->24327 24327->24326 24330 697f6f5 24328->24330 24329 697f90a 24329->24321 24330->24329 24331 697fd29 GlobalMemoryStatusEx GlobalMemoryStatusEx 24330->24331 24331->24330

                                                        Executed Functions

                                                        Function 06973108 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 126 6973108-6973129 127 697312b-697312e 126->127 128 6973134-6973153 127->128 129 69738cf-69738d2 127->129 139 6973155-6973158 128->139 140 697316c-6973176 128->140 130 69738d4-69738f3 129->130 131 69738f8-69738fa 129->131 130->131 133 6973901-6973904 131->133 134 69738fc 131->134 133->127 135 697390a-6973913 133->135 134->133 139->140 141 697315a-697316a 139->141 144 697317c-697318b 140->144 141->144 252 697318d call 6973921 144->252 253 697318d call 6973928 144->253 145 6973192-6973197 146 69731a4-6973481 145->146 147 6973199-697319f 145->147 168 6973487-6973536 146->168 169 69738c1-69738ce 146->169 147->135 178 697355f 168->178 179 6973538-697355d 168->179 181 6973568-697357b 178->181 179->181 183 6973581-69735a3 181->183 184 69738a8-69738b4 181->184 183->184 187 69735a9-69735b3 183->187 184->168 185 69738ba 184->185 185->169 187->184 188 69735b9-69735c4 187->188 188->184 189 69735ca-69736a0 188->189 201 69736a2-69736a4 189->201 202 69736ae-69736de 189->202 201->202 206 69736e0-69736e2 202->206 207 69736ec-69736f8 202->207 206->207 208 69736fa-69736fe 207->208 209 6973758-697375c 207->209 208->209 212 6973700-697372a 208->212 210 6973762-697379e 209->210 211 6973899-69738a2 209->211 222 69737a0-69737a2 210->222 223 69737ac-69737ba 210->223 211->184 211->189 219 697372c-697372e 212->219 220 6973738-6973755 212->220 219->220 220->209 222->223 226 69737d1-69737dc 223->226 227 69737bc-69737c7 223->227 230 69737f4-6973805 226->230 231 69737de-69737e4 226->231 227->226 232 69737c9 227->232 236 6973807-697380d 230->236 237 697381d-6973829 230->237 233 69737e6 231->233 234 69737e8-69737ea 231->234 232->226 233->230 234->230 238 6973811-6973813 236->238 239 697380f 236->239 241 6973841-6973892 237->241 242 697382b-6973831 237->242 238->237 239->237 241->211 243 6973835-6973837 242->243 244 6973833 242->244 243->241 244->241 252->145 253->145
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q$$q$$q
                                                        • API String ID: 0-2069967915
                                                        • Opcode ID: 16fdc93218af29a8132bdef1b77edb5f19ab73d1ad1012dfb798ea414ea8c3f6
                                                        • Instruction ID: c48f3dc66d598f6c04bc3b0f221c81d0653bcc107029f27331d6a4d618b6ba12
                                                        • Opcode Fuzzy Hash: 16fdc93218af29a8132bdef1b77edb5f19ab73d1ad1012dfb798ea414ea8c3f6
                                                        • Instruction Fuzzy Hash: 95320F31E10B198FDB14EF79D85069DF7B6BFC9300F2096A9D449A7614EB30A985CB90
                                                        Function 06975240 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1209 6975240-697525d 1210 697525f-6975262 1209->1210 1211 6975264-6975273 1210->1211 1212 6975278-697527b 1210->1212 1211->1212 1213 6975285-6975288 1212->1213 1214 697527d-6975280 1212->1214 1215 6975297-697529a 1213->1215 1216 697528a-6975290 1213->1216 1214->1213 1220 697529c-69752a0 1215->1220 1221 69752ab-69752ae 1215->1221 1218 6975292 1216->1218 1219 69752b0-69752b6 1216->1219 1218->1215 1225 6975413-6975443 1219->1225 1226 69752bc-69752c4 1219->1226 1222 69752a6 1220->1222 1223 6975405-6975412 1220->1223 1221->1219 1224 69752e6-69752e9 1221->1224 1222->1221 1224->1216 1228 69752eb-69752ee 1224->1228 1233 697544d-6975450 1225->1233 1226->1225 1227 69752ca-69752d7 1226->1227 1227->1225 1230 69752dd-69752e1 1227->1230 1231 69752f0-69752f6 1228->1231 1232 69752fd-6975300 1228->1232 1230->1224 1234 6975342-6975345 1231->1234 1235 69752f8 1231->1235 1236 6975314-6975317 1232->1236 1237 6975302-697530f 1232->1237 1240 6975472-6975475 1233->1240 1241 6975452-6975456 1233->1241 1242 697534a-697534d 1234->1242 1235->1232 1238 69753c2-69753c8 1236->1238 1239 697531d-6975320 1236->1239 1237->1236 1251 697534f-6975362 1238->1251 1252 69753ca 1238->1252 1244 6975322-6975338 1239->1244 1245 697533d-6975340 1239->1245 1248 6975477-697547e 1240->1248 1249 697547f-6975482 1240->1249 1246 6975542-697557c 1241->1246 1247 697545c-6975464 1241->1247 1250 6975367-697536a 1242->1250 1242->1251 1244->1245 1245->1234 1245->1242 1289 697557e-6975581 1246->1289 1247->1246 1253 697546a-697546d 1247->1253 1254 69754a4-69754a7 1249->1254 1255 6975484-6975488 1249->1255 1257 697536c-6975373 1250->1257 1258 6975378-697537b 1250->1258 1251->1250 1256 69753cf-69753d2 1252->1256 1253->1240 1259 69754c9-69754cc 1254->1259 1260 69754a9-69754ad 1254->1260 1255->1246 1266 697548e-6975496 1255->1266 1267 69753d4-69753d5 1256->1267 1268 69753da-69753dd 1256->1268 1257->1258 1261 6975394-6975397 1258->1261 1262 697537d-697538f 1258->1262 1270 69754ce-69754d5 1259->1270 1271 69754dc-69754df 1259->1271 1260->1246 1269 69754b3-69754bb 1260->1269 1272 69753bd-69753c0 1261->1272 1273 6975399-69753b8 1261->1273 1262->1261 1266->1246 1274 697549c-697549f 1266->1274 1267->1268 1275 69753df-69753e8 1268->1275 1276 69753e9-69753ec 1268->1276 1269->1246 1277 69754c1-69754c4 1269->1277 1279 69754d7 1270->1279 1280 697553a-6975541 1270->1280 1281 69754e1-69754eb 1271->1281 1282 69754f0-69754f3 1271->1282 1272->1238 1272->1256 1273->1272 1274->1254 1284 69753f3-69753f5 1276->1284 1285 69753ee-69753f0 1276->1285 1277->1259 1279->1271 1281->1282 1287 69754f5-6975506 1282->1287 1288 697550b-697550e 1282->1288 1290 69753f7 1284->1290 1291 69753fc-69753ff 1284->1291 1285->1284 1287->1288 1295 6975510-6975514 1288->1295 1296 6975528-697552a 1288->1296 1293 6975667-69757fb 1289->1293 1294 6975587-697558a 1289->1294 1290->1291 1291->1210 1291->1223 1359 6975931-6975944 1293->1359 1360 6975801-6975808 1293->1360 1302 69755a2-69755a5 1294->1302 1303 697558c-697559f 1294->1303 1295->1246 1297 6975516-697551e 1295->1297 1298 6975531-6975534 1296->1298 1299 697552c 1296->1299 1297->1246 1305 6975520-6975523 1297->1305 1298->1233 1298->1280 1299->1298 1306 69755a7-69755b8 1302->1306 1307 69755bf-69755c2 1302->1307 1305->1296 1314 6975631-6975638 1306->1314 1315 69755ba 1306->1315 1307->1293 1308 69755c8-69755cb 1307->1308 1312 69755d5-69755d8 1308->1312 1313 69755cd-69755d2 1308->1313 1316 69755f2-69755f5 1312->1316 1317 69755da-69755eb 1312->1317 1313->1312 1319 697563d-6975640 1314->1319 1315->1307 1320 69755f7-6975608 1316->1320 1321 697560f-6975612 1316->1321 1317->1314 1329 69755ed 1317->1329 1324 6975642-6975653 1319->1324 1325 697565e-6975661 1319->1325 1320->1303 1331 697560a 1320->1331 1322 6975614-6975625 1321->1322 1323 697562c-697562f 1321->1323 1322->1314 1336 6975627 1322->1336 1323->1314 1323->1319 1324->1306 1338 6975659 1324->1338 1325->1293 1330 6975947-697594a 1325->1330 1329->1316 1334 697594c-6975953 1330->1334 1335 6975958-697595a 1330->1335 1331->1321 1334->1335 1339 6975961-6975964 1335->1339 1340 697595c 1335->1340 1336->1323 1338->1325 1339->1289 1341 697596a-6975973 1339->1341 1340->1339 1361 697580e-6975841 1360->1361 1362 69758bc-69758c3 1360->1362 1372 6975846-6975887 1361->1372 1373 6975843 1361->1373 1362->1359 1363 69758c5-69758f8 1362->1363 1375 69758fd-697592a 1363->1375 1376 69758fa 1363->1376 1384 697589f-69758a6 1372->1384 1385 6975889-697589a 1372->1385 1373->1372 1375->1341 1376->1375 1387 69758ae-69758b0 1384->1387 1385->1341 1387->1341
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $
                                                        • API String ID: 0-3993045852
                                                        • Opcode ID: f12462aec49d3481a90f1998becba063eac6a9c5930d159a409daee695b9416c
                                                        • Instruction ID: 48eb1cd07f5777aeab4a80d24935a622b700292452ba3f4d6088be92b80c8e04
                                                        • Opcode Fuzzy Hash: f12462aec49d3481a90f1998becba063eac6a9c5930d159a409daee695b9416c
                                                        • Instruction Fuzzy Hash: 6C229F71E002188FDFA4DBA8D4806AEBBB6FF85320F258469D845EB794DE31DC45CB91
                                                        Function 0697233A Relevance: 1.0, Instructions: 1033COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee1d1bd78524241e662d04d78edcf4b9bcc64201cb05d62426f02d35ab197a34
                                                        • Instruction ID: 920157d317288610f915f671d0f7d75c2a2bbaabfe02bbb73b8a802d79522f08
                                                        • Opcode Fuzzy Hash: ee1d1bd78524241e662d04d78edcf4b9bcc64201cb05d62426f02d35ab197a34
                                                        • Instruction Fuzzy Hash: 2F925734E102088FDBA4CB68C588B9DBBF2FB45314F6884A9D4499B765DB31ED85CF80
                                                        Function 06976290 Relevance: .8, Instructions: 836COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 36e6e01f38b27daa73ed7f860c53419110a93741a243fe2ccd65398566a6f9ec
                                                        • Instruction ID: 376f4f692be6dda346bf2d82f52801a854aa2c2f813bb20aa0e591e6b496b549
                                                        • Opcode Fuzzy Hash: 36e6e01f38b27daa73ed7f860c53419110a93741a243fe2ccd65398566a6f9ec
                                                        • Instruction Fuzzy Hash: 48628C34A00A089FDB64DB68D590BADBBF6FF88314F248469D805DB795DB31ED46CB80
                                                        Function 0697C220 Relevance: .6, Instructions: 646COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52628f9736dc1bac18d1e209c152688b0bc982163a5860fa3dfaf908689a5138
                                                        • Instruction ID: 719ac6557f1d4acc605a8e8ebaedabea0b2c7259a2f6896acc5dddf4fdd66aa1
                                                        • Opcode Fuzzy Hash: 52628f9736dc1bac18d1e209c152688b0bc982163a5860fa3dfaf908689a5138
                                                        • Instruction Fuzzy Hash: 70326F34B00209DFDB54DB68D990BAEBBB6FB88314F208529E405EB794DB31EC45DB91
                                                        Function 0697B2BB Relevance: .6, Instructions: 568COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3534d8c14de4b4a3fe6d600e7dcffb165d2249dce6e62445e0b2d34e38b47932
                                                        • Instruction ID: e24ae827685f022cff61bdb3edc197d324a05099b34588d5b81d2c2a6331e2c0
                                                        • Opcode Fuzzy Hash: 3534d8c14de4b4a3fe6d600e7dcffb165d2249dce6e62445e0b2d34e38b47932
                                                        • Instruction Fuzzy Hash: D5225E30E002098FEF64DF68D4907AEB7B6FB49310F24852AE415DBB99DA35DC81DB91
                                                        Function 0697AD60 Relevance: 10.4, Strings: 8, Instructions: 392COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 697ad60-697ad7e 1 697ad80-697ad83 0->1 2 697ad85-697ad8a 1->2 3 697ad8d-697ad90 1->3 2->3 4 697ad92-697ad9b 3->4 5 697adaa-697adad 3->5 6 697af97-697afa4 4->6 7 697ada1-697ada5 4->7 8 697adaf-697adb3 5->8 9 697adbe-697adc1 5->9 19 697afa7-697afce 6->19 20 697af36-697af38 6->20 7->5 10 697af8c-697af96 8->10 11 697adb9 8->11 12 697adc3-697adcc 9->12 13 697add1-697add4 9->13 11->9 12->13 15 697adf7-697adfa 13->15 16 697add6-697adf2 13->16 17 697ae14-697ae17 15->17 18 697adfc-697ae0f 15->18 16->15 23 697af7d-697af86 17->23 24 697ae1d-697ae20 17->24 18->17 21 697afd0-697afd3 19->21 22 697af42-697af73 20->22 27 697afd5 call 697b2bb 21->27 28 697afe2-697afe5 21->28 61 697af7a 22->61 23->4 23->10 29 697ae34-697ae36 24->29 30 697ae22-697ae2f 24->30 37 697afdb-697afdd 27->37 33 697afe7-697afeb 28->33 34 697aff2-697aff5 28->34 35 697ae3d-697ae40 29->35 36 697ae38 29->36 30->29 39 697afed 33->39 40 697b00b-697b046 33->40 41 697aff7-697b001 34->41 42 697b002-697b005 34->42 35->1 43 697ae46-697ae6a 35->43 36->35 37->28 39->34 53 697b04c-697b058 40->53 54 697b239-697b24c 40->54 42->40 45 697b26e-697b271 42->45 60 697ae70-697ae7f 43->60 43->61 46 697b294-697b296 45->46 47 697b273-697b28f 45->47 51 697b29d-697b2a0 46->51 52 697b298 46->52 47->46 51->21 58 697b2a6-697b2b0 51->58 52->51 63 697b05a-697b073 53->63 64 697b078-697b0bc 53->64 57 697b24e 54->57 66 697b24f 57->66 70 697ae97-697aed2 call 6976240 60->70 71 697ae81-697ae87 60->71 61->23 63->57 83 697b0be-697b0d0 64->83 84 697b0d8-697b117 64->84 66->66 86 697aed4-697aeda 70->86 87 697aeea-697af01 70->87 72 697ae8b-697ae8d 71->72 73 697ae89 71->73 72->70 73->70 83->84 92 697b1fe-697b213 84->92 93 697b11d-697b1f8 call 6976240 84->93 90 697aede-697aee0 86->90 91 697aedc 86->91 100 697af03-697af09 87->100 101 697af19-697af2a 87->101 90->87 91->87 92->54 93->92 103 697af0d-697af0f 100->103 104 697af0b 100->104 101->22 107 697af2c-697af32 101->107 103->101 104->101 107->20 109 697af34 107->109 109->22
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                        • API String ID: 0-3886557441
                                                        • Opcode ID: 7635002fc7e39f13c4e936e52cd1653f2f51639cd9b9bbe0ab5ff76f66b78978
                                                        • Instruction ID: fad6203c5622694734ef75fad1bce357e3525a9778c87e269a907a31c7aabe00
                                                        • Opcode Fuzzy Hash: 7635002fc7e39f13c4e936e52cd1653f2f51639cd9b9bbe0ab5ff76f66b78978
                                                        • Instruction Fuzzy Hash: 23E16D30E103098FDB65DF69D8906AEB7B6FF84315F208929E8059B758DB31EC46CB91
                                                        Function 0697B6E8 Relevance: 8.0, Strings: 6, Instructions: 471COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 254 697b6e8-697b708 255 697b70a-697b70d 254->255 256 697b717-697b71a 255->256 257 697b70f-697b714 255->257 258 697b734-697b737 256->258 259 697b71c-697b722 256->259 257->256 262 697b74b-697b74e 258->262 263 697b739-697b740 258->263 260 697ba83-697babe 259->260 261 697b728-697b72f 259->261 276 697bac0-697bac3 260->276 261->258 266 697b761-697b764 262->266 267 697b750-697b75c 262->267 264 697b746 263->264 265 697b81e-697b827 263->265 264->262 268 697b82c-697b82f 265->268 270 697b95c-697b962 266->270 271 697b76a-697b76d 266->271 267->266 273 697b831-697b837 268->273 274 697b83c-697b83f 268->274 270->259 272 697b968 270->272 277 697b914-697b915 271->277 278 697b773-697b776 271->278 281 697b96d-697b970 272->281 273->274 282 697b851-697b854 274->282 283 697b841 274->283 285 697bae6-697bae9 276->285 286 697bac5-697bae1 276->286 284 697b91a-697b91d 277->284 279 697b7b5-697b7b8 278->279 280 697b778-697b78d 278->280 289 697b7da-697b7dd 279->289 290 697b7ba-697b7d5 279->290 280->260 318 697b793-697b7b0 280->318 291 697b972-697b97b 281->291 292 697b980-697b983 281->292 293 697b856-697b85a 282->293 294 697b87b-697b87e 282->294 298 697b849-697b84c 283->298 295 697b944-697b947 284->295 296 697b91f-697b923 284->296 287 697bd55-697bd57 285->287 288 697baef-697bb17 285->288 286->285 302 697bd5e-697bd61 287->302 303 697bd59 287->303 361 697bb21-697bb65 288->361 362 697bb19-697bb1c 288->362 310 697b7f3-697b7f6 289->310 311 697b7df-697b7e8 289->311 290->289 291->292 308 697b985-697b99a 292->308 309 697b9c1-697b9c4 292->309 293->260 299 697b860-697b870 293->299 304 697b8d3-697b8d6 294->304 305 697b880-697b8ce call 6976240 294->305 306 697b957-697b95a 295->306 307 697b949-697b952 295->307 296->260 300 697b929-697b939 296->300 298->282 299->277 341 697b876 299->341 342 697b93f 300->342 343 697ba3c-697ba40 300->343 302->276 319 697bd67-697bd70 302->319 303->302 304->277 316 697b8d8-697b8db 304->316 305->304 306->270 306->281 307->306 308->260 347 697b9a0-697b9bc 308->347 314 697b9c6-697b9ca 309->314 315 697b9db-697b9de 309->315 312 697b819-697b81c 310->312 313 697b7f8-697b814 310->313 321 697ba17-697ba20 311->321 322 697b7ee 311->322 312->265 312->268 313->312 314->260 324 697b9d0-697b9d6 314->324 325 697b9e0-697b9e3 315->325 326 697b9e8-697b9eb 315->326 327 697b8dd-697b8e6 316->327 328 697b8eb-697b8ee 316->328 318->279 321->260 329 697ba22-697ba29 321->329 322->310 324->315 325->326 335 697ba02-697ba05 326->335 336 697b9ed-697b9f1 326->336 327->328 337 697b8f5-697b8f8 328->337 338 697b8f0-697b8f2 328->338 340 697ba2e-697ba31 329->340 351 697ba07-697ba0d 335->351 352 697ba12-697ba15 335->352 336->260 348 697b9f7-697b9fd 336->348 349 697b90f-697b912 337->349 350 697b8fa-697b8fe 337->350 338->337 340->277 353 697ba37-697ba3a 340->353 341->294 342->295 343->260 354 697ba42-697ba52 343->354 347->309 348->335 349->277 349->284 350->260 358 697b904-697b90a 350->358 351->352 352->321 352->340 353->343 360 697ba5d-697ba60 353->360 354->293 366 697ba58 354->366 358->349 360->311 364 697ba66-697ba68 360->364 376 697bb6b-697bb74 361->376 377 697bd4a-697bd54 361->377 362->319 367 697ba6f-697ba72 364->367 368 697ba6a 364->368 366->360 367->255 370 697ba78-697ba82 367->370 368->367 379 697bd40-697bd45 376->379 380 697bb7a-697bbe6 call 6976240 376->380 379->377 388 697bce0-697bcf5 380->388 389 697bbec-697bbf1 380->389 388->379 390 697bbf3-697bbf9 389->390 391 697bc0d 389->391 393 697bbff-697bc01 390->393 394 697bbfb-697bbfd 390->394 395 697bc0f-697bc15 391->395 396 697bc0b 393->396 394->396 397 697bc17-697bc1d 395->397 398 697bc2a-697bc37 395->398 396->395 399 697bc23 397->399 400 697bccb-697bcda 397->400 405 697bc4f-697bc5c 398->405 406 697bc39-697bc3f 398->406 399->398 401 697bc92-697bc9f 399->401 402 697bc5e-697bc6b 399->402 400->388 400->389 411 697bcb7-697bcc4 401->411 412 697bca1-697bca7 401->412 414 697bc83-697bc90 402->414 415 697bc6d-697bc73 402->415 405->400 407 697bc43-697bc45 406->407 408 697bc41 406->408 407->405 408->405 411->400 416 697bcab-697bcad 412->416 417 697bca9 412->417 414->400 418 697bc77-697bc79 415->418 419 697bc75 415->419 416->411 417->411 418->414 419->414
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q$$q$$q
                                                        • API String ID: 0-2069967915
                                                        • Opcode ID: d2012d64c6bc2f569a758cb3a0573d6955edded3c90997e8389f9dca91873b8c
                                                        • Instruction ID: 9402710bad6cad05a59dbf5374cde3282aadc143604065c2ef690d754384d0de
                                                        • Opcode Fuzzy Hash: d2012d64c6bc2f569a758cb3a0573d6955edded3c90997e8389f9dca91873b8c
                                                        • Instruction Fuzzy Hash: 42027930E002098FDFA4DF68D4807ADBBE6FB85314F24852AE415DBA49DB31ED85CB95
                                                        Function 069791E8 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 422 69791e8-697920d 423 697920f-6979212 422->423 424 6979214-6979233 423->424 425 6979238-697923b 423->425 424->425 426 6979241-6979256 425->426 427 6979afb-6979afd 425->427 434 697926e-6979284 426->434 435 6979258-697925e 426->435 429 6979b04-6979b07 427->429 430 6979aff 427->430 429->423 432 6979b0d-6979b17 429->432 430->429 439 697928f-6979291 434->439 436 6979262-6979264 435->436 437 6979260 435->437 436->434 437->434 440 6979293-6979299 439->440 441 69792a9-697931a 439->441 442 697929d-697929f 440->442 443 697929b 440->443 452 6979346-6979362 441->452 453 697931c-697933f 441->453 442->441 443->441 458 6979364-6979387 452->458 459 697938e-69793a9 452->459 453->452 458->459 464 69793d4-69793ef 459->464 465 69793ab-69793cd 459->465 470 69793f1-6979413 464->470 471 697941a-6979424 464->471 465->464 470->471 472 6979426-697942f 471->472 473 6979434-69794ae 471->473 472->432 479 69794b0-69794ce 473->479 480 69794fb-6979510 473->480 484 69794d0-69794df 479->484 485 69794ea-69794f9 479->485 480->427 484->485 485->479 485->480
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q
                                                        • API String ID: 0-4102054182
                                                        • Opcode ID: 36db3dbf32a5b466791f918245d472c8ae35b56599440c97df116a76a11334cb
                                                        • Instruction ID: 9f5dffbd4720e1ba69ece0d6a061d8133dda39498c08b50943e506ed7378b75f
                                                        • Opcode Fuzzy Hash: 36db3dbf32a5b466791f918245d472c8ae35b56599440c97df116a76a11334cb
                                                        • Instruction Fuzzy Hash: 8A917030B006198FDB64DB69D851BAEB7B6FF89300F108565D8199B748EF70DD46CB90
                                                        Function 0697CFE0 Relevance: 4.6, Strings: 3, Instructions: 803COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 488 697cfe0-697cffb 489 697cffd-697d000 488->489 490 697d023-697d026 489->490 491 697d002-697d01e 489->491 492 697d043-697d046 490->492 493 697d028-697d03e 490->493 491->490 494 697d08f-697d092 492->494 495 697d048-697d08a 492->495 493->492 498 697d094-697d096 494->498 499 697d0a1-697d0a4 494->499 495->494 501 697d387-697d390 498->501 502 697d09c 498->502 503 697d0a6-697d0e8 499->503 504 697d0ed-697d0f0 499->504 508 697d392-697d397 501->508 509 697d39f-697d3ab 501->509 502->499 503->504 506 697d0f6-697d0f9 504->506 507 697d4cc-697d4d8 504->507 511 697d103-697d106 506->511 512 697d0fb-697d100 506->512 517 697d32e-697d33d 507->517 518 697d4de-697d7cb 507->518 508->509 513 697d3b1-697d3c5 509->513 514 697d4bc-697d4c1 509->514 519 697d14f-697d152 511->519 520 697d108-697d14a 511->520 512->511 532 697d4c9 513->532 534 697d3cb-697d3dd 513->534 514->532 521 697d33f-697d344 517->521 522 697d34c-697d358 517->522 701 697d9f2-697d9fc 518->701 702 697d7d1-697d7d7 518->702 524 697d154-697d196 519->524 525 697d19b-697d19e 519->525 520->519 521->522 529 697d35e-697d370 522->529 530 697d9fd-697da36 522->530 524->525 535 697d1e7-697d1ea 525->535 536 697d1a0-697d1af 525->536 547 697d375-697d377 529->547 551 697da38-697da3b 530->551 532->507 566 697d401-697d403 534->566 567 697d3df-697d3e5 534->567 541 697d233-697d236 535->541 542 697d1ec-697d22e 535->542 544 697d1b1-697d1b6 536->544 545 697d1be-697d1ca 536->545 548 697d245-697d248 541->548 549 697d238-697d23a 541->549 542->541 544->545 545->530 550 697d1d0-697d1e2 545->550 563 697d37e-697d381 547->563 564 697d379 547->564 557 697d291-697d294 548->557 558 697d24a-697d28c 548->558 549->532 555 697d240 549->555 550->535 560 697da6e-697da71 551->560 561 697da3d-697da69 551->561 555->548 571 697d296-697d2d8 557->571 572 697d2dd-697d2e0 557->572 558->557 568 697da94-697da97 560->568 569 697da73-697da8f 560->569 561->560 563->489 563->501 564->563 570 697d40d-697d419 566->570 575 697d3e7 567->575 576 697d3e9-697d3f5 567->576 580 697daa6-697daa8 568->580 581 697da99 call 697db55 568->581 569->568 595 697d427 570->595 596 697d41b-697d425 570->596 571->572 584 697d2e2-697d324 572->584 585 697d329-697d32c 572->585 586 697d3f7-697d3ff 575->586 576->586 590 697daaf-697dab2 580->590 591 697daaa 580->591 600 697da9f-697daa1 581->600 584->585 585->517 585->547 586->570 590->551 601 697dab4-697dac3 590->601 591->590 605 697d42c-697d42e 595->605 596->605 600->580 616 697dac5-697db28 call 6976240 601->616 617 697db2a-697db3f 601->617 605->532 609 697d434-697d450 call 6976240 605->609 633 697d452-697d457 609->633 634 697d45f-697d46b 609->634 616->617 629 697db40 617->629 629->629 633->634 634->514 638 697d46d-697d4ba 634->638 638->532 703 697d7e6-697d7ef 702->703 704 697d7d9-697d7de 702->704 703->530 705 697d7f5-697d808 703->705 704->703 707 697d9e2-697d9ec 705->707 708 697d80e-697d814 705->708 707->701 707->702 709 697d816-697d81b 708->709 710 697d823-697d82c 708->710 709->710 710->530 711 697d832-697d853 710->711 714 697d855-697d85a 711->714 715 697d862-697d86b 711->715 714->715 715->530 716 697d871-697d88e 715->716 716->707 719 697d894-697d89a 716->719 719->530 720 697d8a0-697d8b9 719->720 722 697d9d5-697d9dc 720->722 723 697d8bf-697d8e6 720->723 722->707 722->719 723->530 726 697d8ec-697d8f6 723->726 726->530 727 697d8fc-697d913 726->727 729 697d915-697d920 727->729 730 697d922-697d93d 727->730 729->730 730->722 735 697d943-697d95c call 6976240 730->735 739 697d95e-697d963 735->739 740 697d96b-697d974 735->740 739->740 740->530 741 697d97a-697d9ce 740->741 741->722
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q
                                                        • API String ID: 0-3067366958
                                                        • Opcode ID: 573a844b4edf67edd53563f78decf3764a81ea456f4807540343e78ca8b8e43d
                                                        • Instruction ID: c4cf1406829ba807868339d3482044acf1c9983e5aa51ab8699069edd899d429
                                                        • Opcode Fuzzy Hash: 573a844b4edf67edd53563f78decf3764a81ea456f4807540343e78ca8b8e43d
                                                        • Instruction Fuzzy Hash: 45626E34B0031A8FDB55EB68D590A9EB7B2FF84304B248A28D4059F759DB31FC4ACB85
                                                        Function 06974808 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 881 6974808-697482c 882 697482e-6974831 881->882 883 6974837-697492f 882->883 884 6974f10-6974f13 882->884 904 6974935-6974982 call 69750b0 883->904 905 69749b2-69749b9 883->905 885 6974f15-6974f2f 884->885 886 6974f34-6974f36 884->886 885->886 888 6974f3d-6974f40 886->888 889 6974f38 886->889 888->882 891 6974f46-6974f53 888->891 889->888 918 6974988-69749a4 904->918 906 69749bf-6974a2f 905->906 907 6974a3d-6974a46 905->907 924 6974a31 906->924 925 6974a3a 906->925 907->891 921 69749a6 918->921 922 69749af-69749b0 918->922 921->922 922->905 924->925 925->907
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: fq$XPq$\Oq
                                                        • API String ID: 0-132346853
                                                        • Opcode ID: 68d547d6acd74faf13eaf24bd66fab53a0a00c8af0ab107c31ecfca4df9b2263
                                                        • Instruction ID: ee427f49959fa2d41b46aac599990a34cd5c3d17f508823af67a750c9b591502
                                                        • Opcode Fuzzy Hash: 68d547d6acd74faf13eaf24bd66fab53a0a00c8af0ab107c31ecfca4df9b2263
                                                        • Instruction Fuzzy Hash: EA618F30F002089FEB549BA8C9547AEBBF6FF88710F20852AE506AB395DF754C45CB95
                                                        Function 06978118 Relevance: 2.7, Strings: 2, Instructions: 246COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1028 6978118-6978137 1029 6978139-697813c 1028->1029 1030 6978142-697814e 1029->1030 1031 69781ef-69781f2 1029->1031 1034 6978159-697815b 1030->1034 1032 697841e-6978421 1031->1032 1033 69781f8-6978207 1031->1033 1035 6978444-6978446 1032->1035 1036 6978423-697843f 1032->1036 1048 6978226-6978261 1033->1048 1049 6978209-6978224 1033->1049 1037 6978173-697817a 1034->1037 1038 697815d-6978163 1034->1038 1039 697844d-6978450 1035->1039 1040 6978448 1035->1040 1036->1035 1045 697817c-6978189 1037->1045 1046 697818b 1037->1046 1042 6978167-6978169 1038->1042 1043 6978165 1038->1043 1039->1029 1047 6978456-697845f 1039->1047 1040->1039 1042->1037 1043->1037 1050 6978190-6978192 1045->1050 1046->1050 1056 6978267-6978278 1048->1056 1057 69783f2-6978408 1048->1057 1049->1048 1051 6978194-6978197 1050->1051 1052 69781a9-69781e2 1050->1052 1051->1047 1052->1033 1071 69781e4-69781ee 1052->1071 1064 697827e-697829b 1056->1064 1065 69783dd-69783ec 1056->1065 1057->1032 1064->1065 1072 69782a1-6978397 call 6976240 1064->1072 1065->1056 1065->1057 1096 69783a5 1072->1096 1097 6978399-69783a3 1072->1097 1098 69783aa-69783ac 1096->1098 1097->1098 1098->1065 1099 69783ae-69783b3 1098->1099 1100 69783b5-69783bf 1099->1100 1101 69783c1 1099->1101 1102 69783c6-69783c8 1100->1102 1101->1102 1102->1065 1103 69783ca-69783d6 1102->1103 1103->1065
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q
                                                        • API String ID: 0-3126353813
                                                        • Opcode ID: d13ff23b5952ab0c26bfc5aea8e5f195913bf59eb9ae9961bf73a116b0f9dd7a
                                                        • Instruction ID: 8746a8495dbac1bdae76eab46aa3f31f4a7d214039eaba5dd57ea585bf4ea978
                                                        • Opcode Fuzzy Hash: d13ff23b5952ab0c26bfc5aea8e5f195913bf59eb9ae9961bf73a116b0f9dd7a
                                                        • Instruction Fuzzy Hash: 83819F30B006148FDB58DB79DA547AEB7A6BF84304F208538D815DBB58EB71EC82C790
                                                        Function 069791D8 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1105 69791d8-697920d 1107 697920f-6979212 1105->1107 1108 6979214-6979233 1107->1108 1109 6979238-697923b 1107->1109 1108->1109 1110 6979241-6979256 1109->1110 1111 6979afb-6979afd 1109->1111 1118 697926e-6979284 1110->1118 1119 6979258-697925e 1110->1119 1113 6979b04-6979b07 1111->1113 1114 6979aff 1111->1114 1113->1107 1116 6979b0d-6979b17 1113->1116 1114->1113 1123 697928f-6979291 1118->1123 1120 6979262-6979264 1119->1120 1121 6979260 1119->1121 1120->1118 1121->1118 1124 6979293-6979299 1123->1124 1125 69792a9-697931a 1123->1125 1126 697929d-697929f 1124->1126 1127 697929b 1124->1127 1136 6979346-6979362 1125->1136 1137 697931c-697933f 1125->1137 1126->1125 1127->1125 1142 6979364-6979387 1136->1142 1143 697938e-69793a9 1136->1143 1137->1136 1142->1143 1148 69793d4-69793ef 1143->1148 1149 69793ab-69793cd 1143->1149 1154 69793f1-6979413 1148->1154 1155 697941a-6979424 1148->1155 1149->1148 1154->1155 1156 6979426-697942f 1155->1156 1157 6979434-69794ae 1155->1157 1156->1116 1163 69794b0-69794ce 1157->1163 1164 69794fb-6979510 1157->1164 1168 69794d0-69794df 1163->1168 1169 69794ea-69794f9 1163->1169 1164->1111 1168->1169 1169->1163 1169->1164
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q
                                                        • API String ID: 0-3126353813
                                                        • Opcode ID: 51f06f0dc8573d7feb8138230a5d3ae867197ffa7814e395deac8b4801627df7
                                                        • Instruction ID: bdf6d647bd9db057be3f2ce7091ea3f6d736f08043f6f80012f7e9d8fdaabc49
                                                        • Opcode Fuzzy Hash: 51f06f0dc8573d7feb8138230a5d3ae867197ffa7814e395deac8b4801627df7
                                                        • Instruction Fuzzy Hash: 45518130B016089FDB54EB69D961B6EBBE6FF88300F108569D809DB748EB71DC46CB91
                                                        Function 010BE580 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1491 10be580-10be59b 1492 10be59d-10be5c4 1491->1492 1493 10be5c5-10be5db 1491->1493 1514 10be5dd call 10be668 1493->1514 1515 10be5dd call 10be580 1493->1515 1496 10be5e2-10be5e4 1497 10be5ea-10be649 1496->1497 1498 10be5e6-10be5e9 1496->1498 1505 10be64b-10be64e 1497->1505 1506 10be64f-10be6dc GlobalMemoryStatusEx 1497->1506 1510 10be6de-10be6e4 1506->1510 1511 10be6e5-10be70d 1506->1511 1510->1511 1514->1496 1515->1496
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3737367032.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_10b0000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b39b4feeb4a2a193a6dabb36715579a5004e2873f3c4880efcc881ff4d98471c
                                                        • Instruction ID: 5733fc6369fa37f675e334cf1705ee01eefdb206452d9f6e4150ad4be6d588b6
                                                        • Opcode Fuzzy Hash: b39b4feeb4a2a193a6dabb36715579a5004e2873f3c4880efcc881ff4d98471c
                                                        • Instruction Fuzzy Hash: 3D412132D003499FDB10DFB9E8047DEBBF5AFC9210F15856AE904A7281EB349845CBE1
                                                        Function 010BE668 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1516 10be668-10be6dc GlobalMemoryStatusEx 1518 10be6de-10be6e4 1516->1518 1519 10be6e5-10be70d 1516->1519 1518->1519
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 010BE6CF
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3737367032.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_10b0000_Quotation.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: f546c088c4876848afe855d327e7fdbc1033454e26cd7ce44b9c95cffe0271bd
                                                        • Instruction ID: 4f896055b0bf1343c71007ff5d77926b5a62735213ba3213969ad748f18698e5
                                                        • Opcode Fuzzy Hash: f546c088c4876848afe855d327e7fdbc1033454e26cd7ce44b9c95cffe0271bd
                                                        • Instruction Fuzzy Hash: CF1123B1C0025A9BDB10DF9AC445BDEFBF4AF48320F10816AD818A7240D778A945CFA5
                                                        Function 069747F9 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: XPq
                                                        • API String ID: 0-1601936878
                                                        • Opcode ID: 849152d6228001d7bc4ccb558f070e61e7ba82db31c94081c561f4e85c2b0efe
                                                        • Instruction ID: fa0c424f29624ac81cb8edb60aacc62b70eb9b0aef03a4b292c5bb0752daebc2
                                                        • Opcode Fuzzy Hash: 849152d6228001d7bc4ccb558f070e61e7ba82db31c94081c561f4e85c2b0efe
                                                        • Instruction Fuzzy Hash: F7416E30B002089FEB549FA9C854B9EBBF6FF88700F208529E545AB395DF719C05CB91
                                                        Function 0697DB55 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHq
                                                        • API String ID: 0-3820536768
                                                        • Opcode ID: d8f3e77252b20257c599bb8ad406b5ef64a4838f7228204a7695bc6fa7f4813f
                                                        • Instruction ID: e8097d7d6bfb4cd081305f0c4b7939dfb09b20d8a0cb9610c32b623b2800c07a
                                                        • Opcode Fuzzy Hash: d8f3e77252b20257c599bb8ad406b5ef64a4838f7228204a7695bc6fa7f4813f
                                                        • Instruction Fuzzy Hash: 5F41C170E00309DFDF65DF65C49469EBBB6FF85300F24452AE402EB644DB71A84ACB81
                                                        Function 069721AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHq
                                                        • API String ID: 0-3820536768
                                                        • Opcode ID: e34d4602ed702dff9006ef70f70129532f64560ddef90bbe3af033634415f953
                                                        • Instruction ID: 29fa8b06b92f79eda5f610c843f546423f27cb95448b5d8a8ddc162020fa15a8
                                                        • Opcode Fuzzy Hash: e34d4602ed702dff9006ef70f70129532f64560ddef90bbe3af033634415f953
                                                        • Instruction Fuzzy Hash: E0311430B102098FDB69AB74C56466F7BE2AB89710F244569E842EB748DF35CD02C7D1
                                                        Function 069721C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHq
                                                        • API String ID: 0-3820536768
                                                        • Opcode ID: 5c5eac1424b9528686bd7cef509581c44d0d072c5978ddedbc306268192bc432
                                                        • Instruction ID: efe254ebdc1bafe681be7eec7cb569173ba0b755a605706edd4028698dcd4eb1
                                                        • Opcode Fuzzy Hash: 5c5eac1424b9528686bd7cef509581c44d0d072c5978ddedbc306268192bc432
                                                        • Instruction Fuzzy Hash: 8A31D030B102098FDB69AB79C55466F7BE6BB89710F204568E402EB348EF35DD02CBD5
                                                        Function 06978109 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q
                                                        • API String ID: 0-1301096350
                                                        • Opcode ID: 492e7f91711b0eda662afa61bdb0ac613e8f238f68a091859cdb7b7002de9e51
                                                        • Instruction ID: 9e00b48c7dd19132dc83c8f995e4b21b325793b521c2b1a87545606c56be7447
                                                        • Opcode Fuzzy Hash: 492e7f91711b0eda662afa61bdb0ac613e8f238f68a091859cdb7b7002de9e51
                                                        • Instruction Fuzzy Hash: 81019C36E04208EFDB248E61EE496AABFBCFF80320F140879D950E3950DB309D41C790
                                                        Function 069746F1 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \Oq
                                                        • API String ID: 0-643489707
                                                        • Opcode ID: 948807994aed6de4b855cc4219ff215337d73de009ad6ad1dc3b50191fde71ac
                                                        • Instruction ID: 42b74d12d15a491072b4e283fd697b5a6069159eb8a4bb82beb6b40aecb9f180
                                                        • Opcode Fuzzy Hash: 948807994aed6de4b855cc4219ff215337d73de009ad6ad1dc3b50191fde71ac
                                                        • Instruction Fuzzy Hash: C3F0D430A50219DFDB14DF94E869BAEBBB2FF88B00F204519E402A7694CB741C45CFC0
                                                        Function 06975E90 Relevance: .2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9acc456762cbd0f640c3cd206ea4f6fd1efdd2ac0b9522a37d6db47fda125414
                                                        • Instruction ID: 9c0088d2afc9fa280eae8a45f7545a75714b7f1b31d8baf84b39b2cd8b2e6805
                                                        • Opcode Fuzzy Hash: 9acc456762cbd0f640c3cd206ea4f6fd1efdd2ac0b9522a37d6db47fda125414
                                                        • Instruction Fuzzy Hash: 3F61A771F005214FDF549A7EC8406AFBADBAFC4210B294439D80AEB364DEB5ED4287D6
                                                        Function 06973F40 Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf9004e4336db6e33f6515301b2ec8ee03368086c397905cf76a37e1665024de
                                                        • Instruction ID: 24e41b6ea0bc9e918b99c5716c6eea6b2c966e3bcdb4752ed5a300dbe31e38eb
                                                        • Opcode Fuzzy Hash: bf9004e4336db6e33f6515301b2ec8ee03368086c397905cf76a37e1665024de
                                                        • Instruction Fuzzy Hash: AB813D30B006098FDB54DBA9D5507AEBBF7AF89300F208529D40ADB759EF31DD468B91
                                                        Function 0697425C Relevance: .2, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec50fc827de0efcca2f8f3e7afc87807af1458d7ee9c8c861bb4b0fd2a65ad3c
                                                        • Instruction ID: 64111ca02cef4b8eaff3a558b27b8f814bac090ab5bb1afc27acda713d348992
                                                        • Opcode Fuzzy Hash: ec50fc827de0efcca2f8f3e7afc87807af1458d7ee9c8c861bb4b0fd2a65ad3c
                                                        • Instruction Fuzzy Hash: 6C913D34E006198FDF60DF68C890B9DBBB1FF89310F208599D549BB295DB70A985CF91
                                                        Function 06974270 Relevance: .2, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4a64c225af2b9f9c005cdb2bb166941eeed748444bf36b52ac4d6518533fac10
                                                        • Instruction ID: 45b468bf2dcb7897bbb997f425b89f5f2e9c6e822be0cc2e0e4cc2e452d4d654
                                                        • Opcode Fuzzy Hash: 4a64c225af2b9f9c005cdb2bb166941eeed748444bf36b52ac4d6518533fac10
                                                        • Instruction Fuzzy Hash: 84912D34E106198BDF60DF68C890B9DB7B1FF89310F208699D549BB385EB70A985CF91
                                                        Function 0697EBB3 Relevance: .2, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d90ab8310eb6cd868183506e55897d3fb9b80efc163926dddefc1bfbe8d7f7e
                                                        • Instruction ID: 88eb7292056a82aa575b586789a2ff1f6a00a394a355e0768937038e1d393d50
                                                        • Opcode Fuzzy Hash: 0d90ab8310eb6cd868183506e55897d3fb9b80efc163926dddefc1bfbe8d7f7e
                                                        • Instruction Fuzzy Hash: 4F713C34E002099FDB54DBA9D980AAEBBF6FF88300F248569D405EB754DB30ED46CB54
                                                        Function 0697EBC0 Relevance: .2, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4491701e5db89a11953504781f5d1ee51c5412c60f69354ac83fcdab111acef3
                                                        • Instruction ID: 0600a588888a552636309d8800ef3725a86974d6a9f05b66e039f5e1d5c6d4d1
                                                        • Opcode Fuzzy Hash: 4491701e5db89a11953504781f5d1ee51c5412c60f69354ac83fcdab111acef3
                                                        • Instruction Fuzzy Hash: 88712B34E002099FDB54EBA9D980AAEBBF6FF88300F248569D405EB754DB30ED46CB55
                                                        Function 0697FD29 Relevance: .2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67e80c11f3b2f4701aac860e5ab4398ac178389b3fa004cefe10bfb5790339ec
                                                        • Instruction ID: 2a4e213850fa0eece247fe0122eb03f20703a74134af50ce688ab496818e6dcf
                                                        • Opcode Fuzzy Hash: 67e80c11f3b2f4701aac860e5ab4398ac178389b3fa004cefe10bfb5790339ec
                                                        • Instruction Fuzzy Hash: 64510431E002089FDF64EF78E4546AEBBB6FF85315F20886AE106E7654DF318845CB84
                                                        Function 0697F6D0 Relevance: .2, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de675c8241b5ea7a039a24ffacb280fbea1bd739aa7d1b82b63598b4fd0d5442
                                                        • Instruction ID: 27eac760e91b6bf09432ac7cb0b39b74b58338229cdf2eb1313e4c59d706955f
                                                        • Opcode Fuzzy Hash: de675c8241b5ea7a039a24ffacb280fbea1bd739aa7d1b82b63598b4fd0d5442
                                                        • Instruction Fuzzy Hash: A251A834F102149BEF74666CD89476F3A5EE789310F30442AE50BE7B99CB79DC4293A1
                                                        Function 0697F6E0 Relevance: .2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82b559ef1b67ad06fb93c035a134601345f1f450b738e5b87ed7991625f467c5
                                                        • Instruction ID: 48b4e34d5322fd241204d28bb190fdbebc717b1103d648537f2ef7693db20d4c
                                                        • Opcode Fuzzy Hash: 82b559ef1b67ad06fb93c035a134601345f1f450b738e5b87ed7991625f467c5
                                                        • Instruction Fuzzy Hash: 2751B634F102149BEF64666CD894B6F365EE78D310F304429D50BE7B99CB79DC4293A1
                                                        Function 069750B0 Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: efe802b6358c3cb14876e3dab09bf6028850bfc2a2923f20e6b2d48c56dc407d
                                                        • Instruction ID: 4e34011743b6bb52425bf10f332f24e5c08049e09ffc3c72e1ca40752dffd10f
                                                        • Opcode Fuzzy Hash: efe802b6358c3cb14876e3dab09bf6028850bfc2a2923f20e6b2d48c56dc407d
                                                        • Instruction Fuzzy Hash: D8417F31E006098FDBB0CF99D880AAFF7B5FB84310F21492AE155D7A50DB30E8458B91
                                                        Function 0697DA08 Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cb4a2b9ed0d02260b7e1b08d9c943f091f3944d87bd91b9ee4f223767ecee96
                                                        • Instruction ID: 7ce39f6be275ef46ae96dd7d922d912b6139e212ee397cf648b8afa65c84505c
                                                        • Opcode Fuzzy Hash: 4cb4a2b9ed0d02260b7e1b08d9c943f091f3944d87bd91b9ee4f223767ecee96
                                                        • Instruction Fuzzy Hash: 0431C634E1071A9FDF29DF64D840A9EBBB6FF85310F244529E805EB644DB70B94ACB90
                                                        Function 06972070 Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 387da6591170031371241d7ede013cc83f4788c57200a0b933cb92116a8e93a7
                                                        • Instruction ID: 844f3de58a0f6cf5d2e2e840b8aba720ee3f1bea84eb7011951f0339993ed38c
                                                        • Opcode Fuzzy Hash: 387da6591170031371241d7ede013cc83f4788c57200a0b933cb92116a8e93a7
                                                        • Instruction Fuzzy Hash: C0319C34E102099FCB59CF74D854AAEBBF6BF89300F208419E946AB754EB71ED46CB50
                                                        Function 06972080 Relevance: .1, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 02bb9e3685016c026e23f3b50f7e523072cb3b2130e4fb79c05c041504db3f4a
                                                        • Instruction ID: 7b26e9450248f061f7828d09ce1d843f72701b23018cb19798abd3b83ff5242c
                                                        • Opcode Fuzzy Hash: 02bb9e3685016c026e23f3b50f7e523072cb3b2130e4fb79c05c041504db3f4a
                                                        • Instruction Fuzzy Hash: 7D317A30E206099FCB59CF64D854A9EB7F6BF88310F208529E906EB754DB71AD46CB50
                                                        Function 06973B48 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3d8a8fb76192633f4ce0013294731785dfad640262b4a6b4562e701786a55e1
                                                        • Instruction ID: 7a936ab47174ca1a46aec25823f04774152d39d257f9964a4e1e4d8e42b85ad7
                                                        • Opcode Fuzzy Hash: a3d8a8fb76192633f4ce0013294731785dfad640262b4a6b4562e701786a55e1
                                                        • Instruction Fuzzy Hash: DA218D75F00A18AFDF50DFA9D941AEEBBF5AB49310F108025E905E7754EB30D941ABA0
                                                        Function 06973B58 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5b6bc4a2f30b8a374b025c58b3984d2039a616fee044da878a7ddc4439996051
                                                        • Instruction ID: 9d351b068c3aa4a7da032bb8cb970a9e1ef7ad0c7610edc1a497e02f62a67866
                                                        • Opcode Fuzzy Hash: 5b6bc4a2f30b8a374b025c58b3984d2039a616fee044da878a7ddc4439996051
                                                        • Instruction Fuzzy Hash: AE216975E00A189FDB50DFA9D981AAEBBF5EB48310F148029E905E7754EB31D940DB90
                                                        Function 0106D030 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3737109013.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_106d000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cbb68f71a8888572499b5677c37180cac2e987cddf84ce317f3d90f50e184a8
                                                        • Instruction ID: b3308719b5d607bb81f1d43cd6eb39edac36ff9b4caa313ba1bb74eb48815262
                                                        • Opcode Fuzzy Hash: 6cbb68f71a8888572499b5677c37180cac2e987cddf84ce317f3d90f50e184a8
                                                        • Instruction Fuzzy Hash: 8D21F571604204DFEB15DF94D9C0B16BBA9EB84314F24C5ADE9C94F256C336D447CB62
                                                        Function 0106D006 Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3737109013.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_106d000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5dacb0420bb1538a14f30040264b7018b6b7b6ac4a35d6b62ae986f666dea204
                                                        • Instruction ID: f9d5cb7900624a04ae75e7d1aefbf4cf41cf85f62d6c48463c5bc2ca93abb532
                                                        • Opcode Fuzzy Hash: 5dacb0420bb1538a14f30040264b7018b6b7b6ac4a35d6b62ae986f666dea204
                                                        • Instruction Fuzzy Hash: 0B214B715093C09FD703CB64D990B11BFB5AF46214F2985DBD8898F2A7C23A985ACB62
                                                        Function 06973C68 Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 90092534f8f5ae80a6cfcf9d2972aa7f7a8ee019faf8491464e3669bcf970704
                                                        • Instruction ID: 8a1283bbc830eb23e6aaf1e703707c410c09d4aa80ca79051281c39653171f74
                                                        • Opcode Fuzzy Hash: 90092534f8f5ae80a6cfcf9d2972aa7f7a8ee019faf8491464e3669bcf970704
                                                        • Instruction Fuzzy Hash: 76118E32B105284FDF949A79D8146EE7BEAABC8311F148539D406E7748EE24DD029BD0
                                                        Function 06973EA3 Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e49f467ac0276b2b24c4cc82798cd5a79c8a0519da0ba55c1115ebffa4dc6a91
                                                        • Instruction ID: 58b4b34ae0da98e2799841d98ec934e95eef1d36034b1fe256f9fbcc10dccaa6
                                                        • Opcode Fuzzy Hash: e49f467ac0276b2b24c4cc82798cd5a79c8a0519da0ba55c1115ebffa4dc6a91
                                                        • Instruction Fuzzy Hash: 22012D307042101FEB61963DE810B2BBBDEDFC6350F248469F14ACB785DD65DC469395
                                                        Function 0697EE31 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2955f0be7abf066ec20a06ca8fa17dff19442bea838abf7d224db44192acf896
                                                        • Instruction ID: 17c3f894af965b0cb8a4fa1557d34a3af6a960b4647b50285a4b96c53a1b1979
                                                        • Opcode Fuzzy Hash: 2955f0be7abf066ec20a06ca8fa17dff19442bea838abf7d224db44192acf896
                                                        • Instruction Fuzzy Hash: 5B01BC35B102145FCB659A2DA894B2F77DAEFCA714F2088A9F50ACB344EA21DC024396
                                                        Function 06973C57 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 71b927eff60c5dc56a942d918196d02f741224edbc1725974705c28651982d02
                                                        • Instruction ID: 70e956afeb0f82fe968b3ccb517962d4e3050d55de7e373fc9080e45e298b5d9
                                                        • Opcode Fuzzy Hash: 71b927eff60c5dc56a942d918196d02f741224edbc1725974705c28651982d02
                                                        • Instruction Fuzzy Hash: 6101D232B000289BCFA49A7E98216EF7BEAABC8311F18403AD415D7684EF208D0197E1
                                                        Function 06973921 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cead6e600c49783a8ee86b8f0bc8e01aae20fefc2e2fc644534a7914b9083a7e
                                                        • Instruction ID: d0cfcf90bc70acb9b2d31732d31c21bbb1274fbba21080111af185a620c956e9
                                                        • Opcode Fuzzy Hash: cead6e600c49783a8ee86b8f0bc8e01aae20fefc2e2fc644534a7914b9083a7e
                                                        • Instruction Fuzzy Hash: FB21F2B5D01219AFCB10DF9AD885ADEFBB8FB48314F50812AE918A3240C7746945CFA5
                                                        Function 0697A399 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 85f9c407a7eb8241e9b527faaa89c00b7e94364660785337d079229c67eed30d
                                                        • Instruction ID: e64d5326f941c0f53db1989f2df95e4000adc0de0206c7bedbc78a3ba7dc99db
                                                        • Opcode Fuzzy Hash: 85f9c407a7eb8241e9b527faaa89c00b7e94364660785337d079229c67eed30d
                                                        • Instruction Fuzzy Hash: 1001B135B145144FCB629A7CF961B1EBBE6EB86210F20842AE10ACB756EE21DC068791
                                                        Function 06973928 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 58408f2c6ee5fc57ebcfdf66c434ac3939b07f58280ea0bdd45af1a1169cf745
                                                        • Instruction ID: c90c34608d8e36ee494439956525c71ae0deb7c5dce795b5ac2f57d37638e7d8
                                                        • Opcode Fuzzy Hash: 58408f2c6ee5fc57ebcfdf66c434ac3939b07f58280ea0bdd45af1a1169cf745
                                                        • Instruction Fuzzy Hash: 5711C2B5D012199FCB10DF9AD885ADEFBB4FB48310F50812AE918A7240C7746944CFA5
                                                        Function 06973EB0 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2af0de02cbb8ca42ddd91eda6b71269bd93536789b7473b200781a9915a65b5
                                                        • Instruction ID: ded7a3b25fb5c7e1d3b6db8f4113796fc46829b11785b689e36a3c188923975c
                                                        • Opcode Fuzzy Hash: a2af0de02cbb8ca42ddd91eda6b71269bd93536789b7473b200781a9915a65b5
                                                        • Instruction Fuzzy Hash: 2B01D130B101200FEBA4956EE410B2FB6DBEBC9750F208439F10ACB744DE62DC065385
                                                        Function 0697EE40 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fa2a26ecf2e19b62804b747a28b2e1a404b678bdb2ec4a073a59b3d82a30b60b
                                                        • Instruction ID: 87ac8ae4556dff748d64ae4e4183bfefd6d9423b1418294a5a358d956360acd7
                                                        • Opcode Fuzzy Hash: fa2a26ecf2e19b62804b747a28b2e1a404b678bdb2ec4a073a59b3d82a30b60b
                                                        • Instruction Fuzzy Hash: 60018C35B101141FDBA5966DA454B3FB7DBEFC9624F208879F54ACB784EE21DC024385
                                                        Function 0697A3A8 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abe0dce4cc50edd3681a3c62edcbd80ac0e6b11cd943a23c9c3caf24cbdef719
                                                        • Instruction ID: 00dba84ba45f72dbb123044f8ee49aadeb331e8882b9f443600851e51a172570
                                                        • Opcode Fuzzy Hash: abe0dce4cc50edd3681a3c62edcbd80ac0e6b11cd943a23c9c3caf24cbdef719
                                                        • Instruction Fuzzy Hash: AB018130B105144FDBA1AA6CE451B1FB7DAEB89315F208429E60ACB748EE61DC065781
                                                        Function 0697AFB0 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 340f6b5e479e4dcea84b82ad6dea888b2611c7664e5b60d483e7e5debc5720f0
                                                        • Instruction ID: e989fe323f3a5fcd7bb9aeb5e36991b3231b7595979f34ac1fe50f7a41ec133d
                                                        • Opcode Fuzzy Hash: 340f6b5e479e4dcea84b82ad6dea888b2611c7664e5b60d483e7e5debc5720f0
                                                        • Instruction Fuzzy Hash: 8DF0E572E1021C8BDF708A69D844B8EBBBDE745731F20443AE91AE7644D6719C458781
                                                        Function 06976111 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9fe8932700fa399866108b13482e95e7d67b08547384875631e06c70fad4505
                                                        • Instruction ID: 607fd34ec7b38915132dfae4baf7b32cfd7eed52dc10d246920393feef53a4f7
                                                        • Opcode Fuzzy Hash: c9fe8932700fa399866108b13482e95e7d67b08547384875631e06c70fad4505
                                                        • Instruction Fuzzy Hash: 5FE0D871E141486BDB60CA70CD4979B7A6CD742208F3144B9E404DB102E537C9018751
                                                        Function 0697469C Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 65a08ceb9b44f95b06eb38b36cd1741a467b5cd6d81b824df2fae02fc109352c
                                                        • Instruction ID: 7b93c4b03e7d82dd28c3cf8084f093bad20a3e58052f50b1690df7f9a2652792
                                                        • Opcode Fuzzy Hash: 65a08ceb9b44f95b06eb38b36cd1741a467b5cd6d81b824df2fae02fc109352c
                                                        • Instruction Fuzzy Hash: 92E0E570954219DFEB608F94D8597AEBBB1BF49B04F204519E002A6655CBB40941CFC0

                                                        Non-executed Functions

                                                        Function 06977338 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                        • API String ID: 0-1298971921
                                                        • Opcode ID: 810b728a3f71f8c2aa01b204127fe8330631709dbb6f36e406517e1a4e08f605
                                                        • Instruction ID: dc3ddc47f7111e7f2ec557c4b60834208eae98bbaff8c2e77b224ca56114d41a
                                                        • Opcode Fuzzy Hash: 810b728a3f71f8c2aa01b204127fe8330631709dbb6f36e406517e1a4e08f605
                                                        • Instruction Fuzzy Hash: DE122C30E01619CFDB64DBA9D894B9EB7B6FF88304F208569D44AAB754DB309D85CF80
                                                        Function 0697A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                        • API String ID: 0-3886557441
                                                        • Opcode ID: a03facf83764bf37bb4ecab1a00334148ba1f65a17b940bcd7755945081086d8
                                                        • Instruction ID: 82750cbaf6fac887c4c52fb3fb576d3023bc511e035bef5847935437cc282a7d
                                                        • Opcode Fuzzy Hash: a03facf83764bf37bb4ecab1a00334148ba1f65a17b940bcd7755945081086d8
                                                        • Instruction Fuzzy Hash: 00919030E00209DFEF68EB65E945BAE77F6BF84305F248429E8019B784DB74AC45CB90
                                                        Function 06976D38 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q$$q$$q
                                                        • API String ID: 0-2069967915
                                                        • Opcode ID: 182d83335bba9664e7f11ca7db91a9c6b6f7d9e3fb7842c59df9e7b892f7ca78
                                                        • Instruction ID: c95374d5d27ea8abf16592c016d30caaa8d8d81474dcad8ac2ca66b5bc636ad2
                                                        • Opcode Fuzzy Hash: 182d83335bba9664e7f11ca7db91a9c6b6f7d9e3fb7842c59df9e7b892f7ca78
                                                        • Instruction Fuzzy Hash: 13F15230B00609CFDB59EBA4D590BAEBBB6BF84304F248569E4559F758DB31EC42CB84
                                                        Function 06978470 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q
                                                        • API String ID: 0-4102054182
                                                        • Opcode ID: 1049d230853327435f51d25479237dced8a9cc0068e34d11c5881f8e0dd52a3f
                                                        • Instruction ID: 4403622512798a8165cd9b3d93dacb9c84a861eadde02553a9285af89d71ce76
                                                        • Opcode Fuzzy Hash: 1049d230853327435f51d25479237dced8a9cc0068e34d11c5881f8e0dd52a3f
                                                        • Instruction Fuzzy Hash: 06B14C30F002098FDB64EB65D6946AEB7B6BF84300F248979D456DB794DB75DC82CB80
                                                        Function 06978888 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq$LRq$$q$$q
                                                        • API String ID: 0-2204215535
                                                        • Opcode ID: 3b5d933fc53e0e3d0ba9b07c30f1a4685af224384d84e7c8c639992d230c8938
                                                        • Instruction ID: d3620515845cf9ebfc20b9a235b7af6f21950cd9e7e31877b82b48cfd1ac7bcd
                                                        • Opcode Fuzzy Hash: 3b5d933fc53e0e3d0ba9b07c30f1a4685af224384d84e7c8c639992d230c8938
                                                        • Instruction Fuzzy Hash: 4351E530B002059FDB58DB28DA44A6AB7F6FF84314F148969E4019FB99EB30EC41CB55
                                                        Function 0697AD57 Relevance: 5.2, Strings: 4, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.3742178851.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_6970000_Quotation.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $q$$q$$q$$q
                                                        • API String ID: 0-4102054182
                                                        • Opcode ID: e0d9fae6601dcf2ca836587ed266b9d7c2d330f400f2f4cf5316eb158b34d277
                                                        • Instruction ID: 886c6be6fb135bd3acb3bb6bb07abc36f18201b7e3207e54e20c2d61279c7359
                                                        • Opcode Fuzzy Hash: e0d9fae6601dcf2ca836587ed266b9d7c2d330f400f2f4cf5316eb158b34d277
                                                        • Instruction Fuzzy Hash: C151A130E102099FDF65DB68E580AAEB7B6FF84315F24852AE801DBB44DB30EC45CB95